[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: TTLS-PAP and LDAP for google - User-Password? Cleartext-Password?
From: Alan DeKok <aland () deployingradius ! com>
Date: 2023-11-23 12:12:44
Message-ID: 8B3EE25D-F1D4-4C9F-9CAE-590CE375C2F2 () deployingradius ! com
[Download RAW message or body]
On Nov 23, 2023, at 6:49 AM, Pietro N. via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
>
> Hello to you,
> my freeradius 3.2.1 is already auth/authorizing through Active Directory and I'm \
> trying to add a second auth/autz source (google) to the configuration.
> I'm using the google-related freeradius templates.
> I'm following the google documentation: \
> https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976&sjid#zippy=%2Cfreeradius
>
That documentation is garbage. Ignore it. I've submitted requests for them to fix \
it. But they're Google, and they know better than the FreeRADIUS developers.
> but I'm finding something that don't match with the rlm_pap official documentation. \
> Actually, I'm not able to authenticate.
That's a good hint that the documentation is wrong.
> In particular, the google documentation reports:
> /etc/freeradius/3.0/sites-available/default -> authorize
> ...
> if (User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
That sets Auth-Type for the *outer* session. i.e. TTLS. You need to set it for \
the *inner* session. i.e. in the inner-tunnel virtual server.
> BUT in an older post I read that you have to set Cleartext-Password (see: \
> https://freeradius-users.freeradius.narkive.com/jbibA0Uf/pap-warning-authentication-will-fail-unless-a-known-good-password-is-available#post1).
>
There is no magic "set this and it works". The better approach is to understand \
how the pieces interact.
Cleartext-Password is the *correct* password for the user. If the server is given \
Cleartext-Password by some configuration (LDAP, SQL, or "update" section), then the \
PAP module can compare User-Password to Cleartext-Password, and authenticate the \
user. Or the MS-CHAP module can take Cleartext-Password, do the MS-CHAP \
calculations, and compare that to the MS-CHAP data sent by the user.
> Moreover, in the rlm_pap docs, I don't see User-Password as an Attribute.
The PAP module checks the User-Password against Cleartext-Password, or \
Crypt-Password, or
> Should I avoid the google how-to? I chose it because it seemed a clear step-by-step \
> procedure to follow, but if it contains mistakes I'll abandon it.
It's wrong. It might work sometimes, but it completely miu
> Does anyone know another tutorial for such a configuration?
> I'd also need to understand what should I add in the "inner" config.
It depends on what you want to do...
TTLS+PAP to Google LDAP? Configure the LDAP module to point to google. Make the \
inner-tunnel use LDAP for authentication.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic