'Re: TTLS-PAP and LDAP for google - User-Password? Cleartext-Password?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: TTLS-PAP and LDAP for google - User-Password? Cleartext-Password?
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2023-11-23 12:12:44
Message-ID: 8B3EE25D-F1D4-4C9F-9CAE-590CE375C2F2 () deployingradius ! com
[Download RAW message or body]

On Nov 23, 2023, at 6:49 AM, Pietro N. via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> 
> Hello to you,
> my freeradius 3.2.1 is already auth/authorizing through Active Directory and I'm \
> trying to add a second auth/autz source (google) to the configuration. 
> I'm using the google-related freeradius templates.
> I'm following the google documentation: \
> https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976&sjid#zippy=%2Cfreeradius
> 

  That documentation is garbage.  Ignore it.  I've submitted requests for them to fix \
it.  But they're Google, and they know better than the FreeRADIUS developers.

> but I'm finding something that don't match with the rlm_pap official documentation. \
> Actually, I'm not able to authenticate.

  That's a good hint that the documentation is wrong.

> In particular, the google documentation reports:
> /etc/freeradius/3.0/sites-available/default -> authorize
> ...
> if (User-Password) {
> update control {
> Auth-Type := ldap
> }
> }

  That sets Auth-Type for the *outer* session.  i.e. TTLS.  You need to set it for \
the *inner* session.  i.e. in the inner-tunnel virtual server.

> BUT in an older post I read that you have to set Cleartext-Password (see: \
> https://freeradius-users.freeradius.narkive.com/jbibA0Uf/pap-warning-authentication-will-fail-unless-a-known-good-password-is-available#post1).
> 

  There is no magic "set this and it works".  The better approach is to understand \
how the pieces interact.

  Cleartext-Password is the *correct* password for the user.  If the server is given \
Cleartext-Password by some configuration (LDAP, SQL, or "update" section), then the \
PAP module can compare User-Password to Cleartext-Password, and authenticate the \
user.  Or the MS-CHAP module can take Cleartext-Password, do the MS-CHAP \
calculations, and compare that to the MS-CHAP data sent by the user.

> Moreover, in the rlm_pap docs, I don't see User-Password as an Attribute.

  The PAP module checks the User-Password against Cleartext-Password, or \
Crypt-Password, or 

> Should I avoid the google how-to? I chose it because it seemed a clear step-by-step \
> procedure to follow, but if it contains mistakes I'll abandon it.

  It's wrong.  It might work sometimes, but it completely miu

> Does anyone know another tutorial for such a configuration?
> I'd also need to understand what should I add in the "inner" config.

  It depends on what you want to do...

  TTLS+PAP to Google LDAP?  Configure the LDAP module to point to google.  Make the \
inner-tunnel use LDAP for authentication.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic