FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi

This post documents the process of integrating FreeRADIUS with Google G Suite (now Workspace) using Secure LDAP. FreeRADIUS will be used to authenticate Ubiquiti Unifi WPA2 Enterprise WiFi users. The configurations presented here are taken from this wonderful repository. While the repo uses Docker, we will be implementing these settings in FreeRADIUS directly. This settings were tested on Debian 10.

First, follow steps 1-3 given in Google’s support article and also generate access credentials. At the end of these steps, you’ll have a certificate and key along with your access credentials.

Then, install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:


Rename those files to:


Next, use a text editor like nano to edit /etc/freeradius/3.0/clients.conf:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          =
       secret          = testing123

Use Ctrl + X to save and exit.

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In authorize section after pap add this:

        if (User-Password) {
            update control {
                   Auth-Type := ldap

In authenticate section:

authenticate {
        Auth-Type PAP {

Uncomment ldap:

#       Auth-Type LDAP {
#       }

Save and exit.

The same changes need to be done in /etc/freeradius/3.0/sites-enabled/inner-tunnel to edit the inner-tunnel virtual server.

After that execute the following commands as root to enable ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

server = 'ldaps://'
port = 636

Enter your access credentials here:

identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In tls section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

Save and exit.

Next, set up the eap module:

nano /etc/freeradius/3.0/mods-enabled/eap

In eap section:

default_eap_type = ttls

In ttls section:

default_eap_type = gtc

Save and exit. Finally, set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm {


Save and exit.

Use the following command to restart FreeRADIUS service for new settings to take effect:

systemctl restart freeradius.service

FreeRADIUS settings are now complete. On the Unifi Controller, go to Settings -> Wireless Networks and either create a new wireless network or edit an existing network. In Security select WPA Enterprise:

It will require a RADIUS Profile to be specified. Click on “Create new RADIUS profile”. Enter a name for the profile and specify the IP address of your RADIUS server and its shared secret (created earlier).

Save the changes made to RADIUS profile and Wireless network.

To setup a mobile client to connect to this network enter your G-Suite Username and password like this:

Note: Users are free to enter only their User ID or complete email address in <UserID> format. It should work either way.

In case of an error, make sure the EAP method is TTLS. For Phase 2 or inner tunnel use either GTC or None. Some devices will auto-detect these settings but on some devices you might need to select them manually.

In case of any issues troubleshoot FreeRADIUS by first stopping its service:

systemctl stop freeradius.service

After that start it in debug mode:

freeradius -X

Follow the debug output to troubleshoot further.

Nasir Hafeez

A CCIE certified networks and systems specialist with 8+ years of experience in designing, configuring, troubleshooting, and documenting diverse IT scenarios for ISPs, enterprises and startups


  1. Thomas says:

    Hello Nasir,
    thanks for your post, that really fills a gap. Up to now I just found solutions with subject to charge.
    Do you think/know, if your solution also works with the FreeRADIUS-Server in pfsense ( This might open a variety of further options, besides WPA Enterprise, for pppoe, pptp and further more.
    Warm regards,

    1. Hi Thomas,

      Thanks for your feedback. I did try this on pfSense as a matter of fact. I was able to get it working successfully by getting into the command line and modifying FreeRADIUS files manually, but the problem I faced was that all the modifications that I did were lost when the pfSense was rebooted.

      1. Thomas says:

        Hi Nasir,

        have you tested the following way?
        It seems they have updated the docs on Sep. 17.

        1. Nice, this looks interesting. No I didn’t test it. Thanks for letting me know!

  2. Matthew says:

    Hi Nasir,
    thank you very much for your post. Have you had trouble connecting Windows client devices to the WiFi network? What settings did you use on the client side?

    1. Hello,

      No not at all. I tested it with Windows 10, didn’t need any special settings. Just selected WiFi, entered username and password, and accepted the certificate warning. It worked seamlessly!

      1. Matthew says:

        How strange. In my case there is no way I can authenticate a Windows client. There are no problems with Android.

  3. Gevanni says:

    Hi Nassir,

    I have everything configured but when connecting a client with macOS it does not allow me, do you know if I need a profile or certificate?

    Thank you.

    1. Hello,

      I tested it with an iPad and didn’t face any issues on that. Didn’t test it with a MacOS client.

  4. Geovanni says:

    Hi, Nassir

    What version unifi controller use?
    I have version

    1. I think it was 6.0.36 perhaps.

  5. Christian Bednarz says:

    Dear Nasir. Thanks for your guide. However, would this also work for VPN via Ubiqi and Google LDAP authentication? Best regards.

    1. I think it should.

  6. Hello Nasir,

    you saved my day. That guide was incredible and easy to read. Thanks a lot for your time. Really appreciate your work. Could configure all in two hours for my corporate network and will turn off old LDAP custom setup next week.

    Greetings,. Thomas

    1. Thanks Thomas,

      Glad to help!

  7. Matt Richey says:

    Hello. I keep getting stuck when trying to restart the service. When I try to run that command, it returns with: Job for freeradius.service failed because the control process exited with error code. I’m not great in terminal, but I think I can get by. Any ideas as to what might be causing this?

    1. Please use freeradius -X to troubleshoot

  8. Syahwanius says:

    Hello Nasir. i already follows all the step and not getting error while debugging using freeradius -X, but when user connect i got some errors on /var/log/freeradius/radius.log :

    Error: (5) Ignoring duplicate packet from client LDAP port 33030 – ID: 6 due to unfinished request in component authenticate module eap_ttls
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21

    and the user can’t connect to the wifi, any idea?

  9. Nick says:

    Hey Nasir,
    I just want to say thank you for this article. I’ve revisited this a few times trying to get this to work and spent entirely too many hours on it over the last few years without any luck. I was able to get this up and running with your directions quickly and easily.

Leave a Reply

Your email address will not be published. Required fields are marked *