FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi

This post documents the process of integrating FreeRADIUS with Google G Suite (now Workspace) using Secure LDAP. FreeRADIUS will be used to authenticate Ubiquiti Unifi WPA2 Enterprise WiFi users. The configurations presented here are taken from this wonderful repository. While the repo uses Docker, we will be implementing these settings in FreeRADIUS directly. This settings were tested on Debian 10.

First, follow steps 1-3 given in Google’s support article and also generate access credentials. At the end of these steps, you’ll have a certificate and key along with your access credentials.

Then, install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:

/etc/freeradius/3.0/certs/

Rename those files to:

ldap-client.crt
ldap-client.key

Next, use a text editor like nano to edit /etc/freeradius/3.0/clients.conf:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace 192.168.1.0/24 with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          = 192.168.1.0/24
       secret          = testing123
}

Use Ctrl + X to save and exit.

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In authorize section after pap add this:

        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }

In authenticate section:

authenticate {
        Auth-Type PAP {
                ldap
        }

Uncomment ldap:

#       Auth-Type LDAP {
                ldap
#       }

Save and exit.

The same changes need to be done in /etc/freeradius/3.0/sites-enabled/inner-tunnel to edit the inner-tunnel virtual server.

After that execute the following commands as root to enable ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

server = 'ldaps://ldap.google.com'
port = 636

Enter your access credentials here:


identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In tls section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

Save and exit.

Next, set up the eap module:

nano /etc/freeradius/3.0/mods-enabled/eap

In eap section:

default_eap_type = ttls

In ttls section:

default_eap_type = gtc

Save and exit. Finally, set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm example.com {

}

Save and exit.

Use the following command to restart FreeRADIUS service for new settings to take effect:

systemctl restart freeradius.service

FreeRADIUS settings are now complete. On the Unifi Controller, go to Settings -> Wireless Networks and either create a new wireless network or edit an existing network. In Security select WPA Enterprise:

It will require a RADIUS Profile to be specified. Click on “Create new RADIUS profile”. Enter a name for the profile and specify the IP address of your RADIUS server and its shared secret (created earlier).

Save the changes made to RADIUS profile and Wireless network.

To setup a mobile client to connect to this network enter your G-Suite Username and password like this:

Note: Users are free to enter only their User ID or complete email address in <UserID>@example.com format. It should work either way.

In case of an error, make sure the EAP method is TTLS. For Phase 2 or inner tunnel use either GTC or None. Some devices will auto-detect these settings but on some devices you might need to select them manually.

In case of any issues troubleshoot FreeRADIUS by first stopping its service:

systemctl stop freeradius.service

After that start it in debug mode:

freeradius -X

Follow the debug output to troubleshoot further.

Nasir Hafeez

A CCIE certified networks and systems specialist with 8+ years of experience in designing, configuring, troubleshooting, and documenting diverse IT scenarios for ISPs, enterprises and startups

4 Comments

  1. Thomas says:

    Hello Nasir,
    thanks for your post, that really fills a gap. Up to now I just found solutions with subject to charge.
    Do you think/know, if your solution also works with the FreeRADIUS-Server in pfsense (https://www.pfsense.org/)? This might open a variety of further options, besides WPA Enterprise, for pppoe, pptp and further more.
    Warm regards,
    Thomas

    1. Hi Thomas,

      Thanks for your feedback. I did try this on pfSense as a matter of fact. I was able to get it working successfully by getting into the command line and modifying FreeRADIUS files manually, but the problem I faced was that all the modifications that I did were lost when the pfSense was rebooted.

      1. Thomas says:

        Hi Nasir,

        have you tested the following way?
        https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html
        It seems they have updated the docs on Sep. 17.

        1. Nice, this looks interesting. No I didn’t test it. Thanks for letting me know!

Leave a Reply

Your email address will not be published. Required fields are marked *