Google LDAP Authentication for WIFI Setup issues

Joseph Allen joseph.l.allen at gmail.com
Fri Nov 8 17:48:09 UTC 2024 

Hey,

You're right I'm making changes I don't understand, but I'm learning as I'm
going. This is my first try at using FreeRadius.

When I said I added the default server back in, I meant I added the base
configuration of the default back in, without any changes to it.

Since last night, I did the same with the google_ldap virtual server and
mods.

I then went in and updated EAP TTLS to point to the google_ldap, and set
TTLS as the default in the eap file.

I still ran into issues with trying to connect my iPad, and that is where I
realized it is the stupid iOS that's the problem. You said to make sure the
client is TTLS, but iOS doesn't have a basic way to set the authentication
to TTLS, it defaults to TLS. I switched to my android phone, and selected
TTLS and boom, it worked right away.

I'm now investigating ways to get Apple to play nice, but I doubt I'll find
anything there.

At least FreeRadius is working now, so thanks for all your help.

On Fri, Nov 8, 2024 at 2:14 AM Alan DeKok <aland at deployingradius.com> wrote:

> On Nov 8, 2024, at 2:16 AM, Joseph Allen <joseph.l.allen at gmail.com> wrote:
> > Thanks, I feel like that got me moving in the right direction. My mistake
> > before I removed the default was not recognizing/understanding the
> > google-ldap-auth was a virtual server / tunnel.
>
>   That file is in the directory for virtual servers, and starts with a
> "server" block.  So,..
>
>   Your previous message made it clear that your approach was to change all
> kinds of things, without really being clear on how things worked, or what
> was going on.  This approach is guaranteed to *increase* confusion, and to
> cause problems.
>
> > I put the default back in, and removed the "inner-tunnel" from the
> > sites-enabled.
>
>   Why?
>
>   The concern here is that you're just making random changes without
> understanding why you're making those changes, or what impact those changes
> have.
>
> > Then updated mods-enabled/eap virtual_server to point to
> google-ldap-auth.
> > I also renamed the virtual server to "google-ldap-auth" to match the file
> > name...that one bugged me and made me spend 15 minutes chasing down why
> it
> > couldn't find the virtual server.
>
>   Or just read the start of the file, where it says "server google-ldap",
> but OK...
>
> > I also updated the default->authorize->ldap section to this:
> >        ldap_google
> >
> >        #
> >        #  If you're using Active Directory and PAP, then uncomment
> >        #  the following lines, and the "Auth-Type LDAP" section below.
> >        #
> >        #  This will let you do PAP authentication to AD.
> >        #
> >        if ((ok || updated) && User-Password && !control:Auth-Type) {
> >                update control {
> >                        &Auth-Type := ldap
> >                }
> >        }
>
>   Yeah, that won't work.
>
>   Why?  You made a bunch of changes without understanding how EAP works.
> You've also *not* done what Matthew suggested.
>
>   When you make changes,, instead of making massive changes all at once,
> make ONE change at a time.  A SMALL change.  Test it, and then move on to
> the next change.
>
>   This is the process which is recommended in the documentation.  See "man
> users".
>
>   When you change 15 things at the same time, and it breaks... you have no
> idea what's broken,  This is a a guaranteed way to waste large amounts of
> time.
>
> > It's now doing a lot more, but still basically failing in the same spot
> on
> > the IF statement looking for a password. Here's the full log:
>
>   Because the inner-tunnel for PEAP also uses EAP.  And you've "helpfully"
> butchered the inner-tunnel configuration, so that it doesn't use the "eap"
> module.  Which means that PEAP won't work.
>
>   This is, in fact, exactly the same problem you had before.  Matthew
> explained this.  Go back and read his message.
>
>
>   But even fixing that issue won't help.
>
>   Why?  Go read the top of the google-ldap-auth file.  It explains very
> clearly that it's for EAP-TTLS with PAP.  If you're doing PEAP, then there
> *is no password* in the inner tunnel.  Because PEAP doesn't send one to
> FreeRADIUS.
>
>   Which means that using PEAP with Google LDAP is impossible,  I could
> explain, but there isn't much point.  It's impossible, and nothing you do
> will make PEAP work with Google LDAP.
>
>   Configure the client to use EAP-TTLS with PAP.  Then try configuring the
> server to use google LDAP.
>
>   Alan DeKok,.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list