FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi

This post documents the process of integrating FreeRADIUS with Google G Suite (now Workspace) using Secure LDAP. FreeRADIUS will be used to authenticate Ubiquiti Unifi WPA2 Enterprise WiFi users. The configurations presented here are taken from this wonderful repository. While the repo uses Docker, we will be implementing these settings in FreeRADIUS directly. These settings were tested on Debian 10.

First, follow steps 1-3 given in Google’s support article and also generate access credentials. At the end of these steps, you’ll have a certificate and key along with your access credentials.

Then, install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:

/etc/freeradius/3.0/certs/

Rename those files to:

ldap-client.crt
ldap-client.key

Next, use a text editor like nano to edit /etc/freeradius/3.0/clients.conf:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace 192.168.1.0/24 with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          = 192.168.1.0/24
       secret          = testing123
}

Use Ctrl + X to save and exit.

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In authorize section after pap add this:

        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }

In authenticate section:

authenticate {
        Auth-Type PAP {
                ldap
        }

Uncomment ldap:

#       Auth-Type LDAP {
                ldap
#       }

Save and exit.

The same changes need to be done in /etc/freeradius/3.0/sites-enabled/inner-tunnel to edit the inner-tunnel virtual server.

After that execute the following commands as root to enable ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

server = 'ldaps://ldap.google.com'
port = 636

Enter your access credentials here:

identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In tls section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

Save and exit.

Next, set up the eap module:

nano /etc/freeradius/3.0/mods-enabled/eap

In eap section:

default_eap_type = ttls

In ttls section:

default_eap_type = gtc

Save and exit. Finally, set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm example.com {

}

Save and exit.

Use the following command to restart FreeRADIUS service for new settings to take effect:

systemctl restart freeradius.service

FreeRADIUS settings are now complete. On the Unifi Controller, go to Settings -> Wireless Networks and either create a new wireless network or edit an existing network. In Security select WPA Enterprise:

It will require a RADIUS Profile to be specified. Click on “Create new RADIUS profile”. Enter a name for the profile and specify the IP address of your RADIUS server and its shared secret (created earlier).

Save the changes made to RADIUS profile and Wireless network.

To setup a mobile client to connect to this network enter your G-Suite Username and password like this:

Note: Users are free to enter only their User ID or complete email address in <UserID>@example.com format. It should work either way.

In case of an error, make sure the EAP method is TTLS. For Phase 2 or inner tunnel use either GTC or None. Some devices will auto-detect these settings but on some devices you might need to select them manually.

In case of any issues troubleshoot FreeRADIUS by first stopping its service:

systemctl stop freeradius.service

After that start it in debug mode:

freeradius -X

Follow the debug output to troubleshoot further.

27 Comments

  1. Thomas says:

    Hello Nasir,
    thanks for your post, that really fills a gap. Up to now I just found solutions with subject to charge.
    Do you think/know, if your solution also works with the FreeRADIUS-Server in pfsense (https://www.pfsense.org/)? This might open a variety of further options, besides WPA Enterprise, for pppoe, pptp and further more.
    Warm regards,
    Thomas

    1. Hi Thomas,

      Thanks for your feedback. I did try this on pfSense as a matter of fact. I was able to get it working successfully by getting into the command line and modifying FreeRADIUS files manually, but the problem I faced was that all the modifications that I did were lost when the pfSense was rebooted.

      1. Thomas says:

        Hi Nasir,

        have you tested the following way?
        https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html
        It seems they have updated the docs on Sep. 17.

        1. Nice, this looks interesting. No I didn’t test it. Thanks for letting me know!

  2. Matthew says:

    Hi Nasir,
    thank you very much for your post. Have you had trouble connecting Windows client devices to the WiFi network? What settings did you use on the client side?
    Thanks

    1. Hello,

      No not at all. I tested it with Windows 10, didn’t need any special settings. Just selected WiFi, entered username and password, and accepted the certificate warning. It worked seamlessly!

      1. Matthew says:

        How strange. In my case there is no way I can authenticate a Windows client. There are no problems with Android.

    2. Chris C says:

      Matthew-
      I am seeing the same issue with Windows 10 client PCs.
      FreeRadius fails to authenticate because of the client using MS-CHAPv2.
      WARNING: No Cleartext-Password configured. Cannot create NT-Password
      Creating challenge hash with username: ccarr
      Client is using MS-CHAPv2
      ERROR: FAILED: No NT-Password. Cannot perform authentication
      ERROR: MS-CHAP2-Response is incorrect

      NOTE I am using HP Aruba access points

  3. Gevanni says:

    Hi Nassir,

    I have everything configured but when connecting a client with macOS it does not allow me, do you know if I need a profile or certificate?

    Thank you.

    1. Hello,

      I tested it with an iPad and didn’t face any issues on that. Didn’t test it with a MacOS client.

  4. Geovanni says:

    Hi, Nassir

    What version unifi controller use?
    I have 6.0.43.0 version

    1. I think it was 6.0.36 perhaps.

  5. Christian Bednarz says:

    Dear Nasir. Thanks for your guide. However, would this also work for VPN via Ubiqi and Google LDAP authentication? Best regards.

    1. I think it should.

      1. Sebastian says:

        Nice guide, it works just fine for me. Where you able to make it work for the VPN connection? I did run into an error, not sure if its worth investing time here.

        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
        (0) mschap: Creating challenge hash with username: …
        (0) mschap: Client is using MS-CHAPv2
        (0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
        (0) mschap: ERROR: MS-CHAP2-Response is incorrect

  6. Hello Nasir,

    you saved my day. That guide was incredible and easy to read. Thanks a lot for your time. Really appreciate your work. Could configure all in two hours for my corporate network and will turn off old LDAP custom setup next week.

    Greetings,. Thomas

    1. Thanks Thomas,

      Glad to help!

  7. Matt Richey says:

    Hello. I keep getting stuck when trying to restart the service. When I try to run that command, it returns with: Job for freeradius.service failed because the control process exited with error code. I’m not great in terminal, but I think I can get by. Any ideas as to what might be causing this?

    1. Please use freeradius -X to troubleshoot

    2. Chris C says:

      Hi Matt.
      I started getting the same issue – attempting to start FreeRadius using SystemD fails with an error but running the process manually works fine # /sbin/radiusd -X -d /etc/raddb

  8. Syahwanius says:

    Hello Nasir. i already follows all the step and not getting error while debugging using freeradius -X, but when user connect i got some errors on /var/log/freeradius/radius.log :

    Error: (5) Ignoring duplicate packet from client LDAP port 33030 – ID: 6 due to unfinished request in component authenticate module eap_ttls
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21

    and the user can’t connect to the wifi, any idea?

  9. Nick says:

    Hey Nasir,
    I just want to say thank you for this article. I’ve revisited this a few times trying to get this to work and spent entirely too many hours on it over the last few years without any luck. I was able to get this up and running with your directions quickly and easily.

  10. Marion Bates says:

    Hi Nasir,

    I am trying to adapt these instructions to Centos 7. When I start radiusd, I see these messages:

    May 03 11:08:21 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..

    Do you know what this means or how to fix? Thank you very much! — MB

  11. Glenn says:

    IOS, MacOS and Android clients connect fine. Windows and ChromeOS are having difficulty connecting. Here is the output of freeradius -X when a Windows client attempts to connect:
    (0) Received Access-Request Id 35 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (0) User-Name = “[email protected]
    (0) NAS-IP-Address = 172.16.1.25
    (0) NAS-Identifier = “029fc26eac66”
    (0) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (0) NAS-Port-Type = Wireless-802.11
    (0) Service-Type = Framed-User
    (0) Calling-Station-Id = “98-AF-65-08-37-02”
    (0) Connect-Info = “CONNECT 0Mbps 802.11b”
    (0) Acct-Session-Id = “37C8289B8D2F7CA7”
    (0) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (0) WLAN-Pairwise-Cipher = 1027076
    (0) WLAN-Group-Cipher = 1027076
    (0) WLAN-AKM-Suite = 1027073
    (0) WLAN-Group-Mgmt-Cipher = 1027078
    (0) Framed-MTU = 1400
    (0) EAP-Message = 0x02cb001801676c61676d616e40686161737063732e6e6574
    (0) Message-Authenticator = 0x4764f2541db94b493f83688530a2ecb4
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (0) authorize {
    (0) policy filter_username {
    (0) if (&User-Name) {
    (0) if (&User-Name) -> TRUE
    (0) if (&User-Name) {
    (0) if (&User-Name =~ / /) {
    (0) if (&User-Name =~ / /) -> FALSE
    (0) if (&User-Name =~ /@[^@]*@/ ) {
    (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (0) if (&User-Name =~ /\.\./ ) {
    (0) if (&User-Name =~ /\.\./ ) -> FALSE
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (0) if (&User-Name =~ /\.$/) {
    (0) if (&User-Name =~ /\.$/) -> FALSE
    (0) if (&User-Name =~ /@\./) {
    (0) if (&User-Name =~ /@\./) -> FALSE
    (0) } # if (&User-Name) = notfound
    (0) } # policy filter_username = notfound
    (0) [preprocess] = ok
    (0) [chap] = noop
    (0) [mschap] = noop
    (0) [digest] = noop
    (0) suffix: Checking for suffix after “@”
    (0) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (0) suffix: Found realm “domain.com”
    (0) suffix: Adding Stripped-User-Name = “user”
    (0) suffix: Adding Realm = “domain.com”
    (0) suffix: Authentication realm is LOCAL
    (0) [suffix] = ok
    (0) eap: Peer sent EAP Response (code 2) ID 203 length 24
    (0) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
    (0) [eap] = ok
    (0) } # authorize = ok
    (0) Found Auth-Type = eap
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) authenticate {
    (0) eap: Peer sent packet with method EAP Identity (1)
    (0) eap: Calling submodule eap_ttls to process data
    (0) eap_ttls: Initiating new EAP-TLS session
    (0) eap_ttls: [eaptls start] = request
    (0) eap: Sending EAP Request (code 1) ID 204 length 6
    (0) eap: EAP session adding &reply:State = 0x3ad5cc8d3a19d919
    (0) [eap] = handled
    (0) } # authenticate = handled
    (0) Using Post-Auth-Type Challenge
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) Challenge { … } # empty sub-section is ignored
    (0) Sent Access-Challenge Id 35 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (0) EAP-Message = 0x01cc00061520
    (0) Message-Authenticator = 0x00000000000000000000000000000000
    (0) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (0) Finished request
    Waking up in 4.9 seconds.
    (1) Received Access-Request Id 36 from 172.16.1.25:56448 to 172.16.1.14:1812 length 414
    (1) User-Name = “[email protected]
    (1) NAS-IP-Address = 172.16.1.25
    (1) NAS-Identifier = “029fc26eac66”
    (1) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (1) NAS-Port-Type = Wireless-802.11
    (1) Service-Type = Framed-User
    (1) Calling-Station-Id = “98-AF-65-08-37-02”
    (1) Connect-Info = “CONNECT 0Mbps 802.11b”
    (1) Acct-Session-Id = “37C8289B8D2F7CA7”
    (1) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (1) WLAN-Pairwise-Cipher = 1027076
    (1) WLAN-Group-Cipher = 1027076
    (1) WLAN-AKM-Suite = 1027073
    (1) WLAN-Group-Mgmt-Cipher = 1027078
    (1) Framed-MTU = 1400
    (1) EAP-Message = 0x02cc00a3158000000099160303009401000090030360f5daec9dc706e59810cf61b9f713636d14b8764b444df9cc63ff348150673c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b000201
    (1) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (1) Message-Authenticator = 0x5cba8405dd0258e2367d3b93063ce239
    (1) session-state: No cached attributes
    (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (1) authorize {
    (1) policy filter_username {
    (1) if (&User-Name) {
    (1) if (&User-Name) -> TRUE
    (1) if (&User-Name) {
    (1) if (&User-Name =~ / /) {
    (1) if (&User-Name =~ / /) -> FALSE
    (1) if (&User-Name =~ /@[^@]*@/ ) {
    (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (1) if (&User-Name =~ /\.\./ ) {
    (1) if (&User-Name =~ /\.\./ ) -> FALSE
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (1) if (&User-Name =~ /\.$/) {
    (1) if (&User-Name =~ /\.$/) -> FALSE
    (1) if (&User-Name =~ /@\./) {
    (1) if (&User-Name =~ /@\./) -> FALSE
    (1) } # if (&User-Name) = notfound
    (1) } # policy filter_username = notfound
    (1) [preprocess] = ok
    (1) [chap] = noop
    (1) [mschap] = noop
    (1) [digest] = noop
    (1) suffix: Checking for suffix after “@”
    (1) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (1) suffix: Found realm “domain.com”
    (1) suffix: Adding Stripped-User-Name = “user”
    (1) suffix: Adding Realm = “domain.com”
    (1) suffix: Authentication realm is LOCAL
    (1) [suffix] = ok
    (1) eap: Peer sent EAP Response (code 2) ID 204 length 163
    (1) eap: Continuing tunnel setup
    (1) [eap] = ok
    (1) } # authorize = ok
    (1) Found Auth-Type = eap
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) authenticate {
    (1) eap: Expiring EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Finished EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Previous EAP request found for state 0x3ad5cc8d3a19d919, released from the list
    (1) eap: Peer sent packet with method EAP TTLS (21)
    (1) eap: Calling submodule eap_ttls to process data
    (1) eap_ttls: Authenticate
    (1) eap_ttls: Continuing EAP-TLS
    (1) eap_ttls: Peer indicated complete TLS record size will be 153 bytes
    (1) eap_ttls: Got complete TLS record (153 bytes)
    (1) eap_ttls: [eaptls verify] = length included
    (1) eap_ttls: (other): before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: <<>> send TLS 1.2 [length 003d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
    (1) eap_ttls: >>> send TLS 1.2 [length 031d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
    (1) eap_ttls: >>> send TLS 1.2 [length 014d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
    (1) eap_ttls: >>> send TLS 1.2 [length 0004]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
    (1) eap_ttls: In SSL Handshake Phase
    (1) eap_ttls: In SSL Accept mode
    (1) eap_ttls: [eaptls process] = handled
    (1) eap: Sending EAP Request (code 1) ID 205 length 1004
    (1) eap: EAP session adding &reply:State = 0x3ad5cc8d3b18d919
    (1) [eap] = handled
    (1) } # authenticate = handled
    (1) Using Post-Auth-Type Challenge
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) Challenge { … } # empty sub-section is ignored
    (1) Sent Access-Challenge Id 36 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (1) EAP-Message = 0x01cd03ec15c0000004bf160303003d0200003903038895826d02916cc4f4d7eebd23e8c6dfb507512051db2e88444f574e4752440100c030000011ff01000100000b00040300010200170000160303031d0b0003190003160003133082030f308201f7a00302010202140093bdec6d7accbcea599f3d61
    (1) Message-Authenticator = 0x00000000000000000000000000000000
    (1) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (1) Finished request
    Waking up in 4.9 seconds.
    (2) Received Access-Request Id 37 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (2) User-Name = “[email protected]
    (2) NAS-IP-Address = 172.16.1.25
    (2) NAS-Identifier = “029fc26eac66”
    (2) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (2) NAS-Port-Type = Wireless-802.11
    (2) Service-Type = Framed-User
    (2) Calling-Station-Id = “98-AF-65-08-37-02”
    (2) Connect-Info = “CONNECT 0Mbps 802.11b”
    (2) Acct-Session-Id = “37C8289B8D2F7CA7”
    (2) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (2) WLAN-Pairwise-Cipher = 1027076
    (2) WLAN-Group-Cipher = 1027076
    (2) WLAN-AKM-Suite = 1027073
    (2) WLAN-Group-Mgmt-Cipher = 1027078
    (2) Framed-MTU = 1400
    (2) EAP-Message = 0x02cd00061500
    (2) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (2) Message-Authenticator = 0x234375bee42a3c192ca7d6a9aba0c316
    (2) session-state: No cached attributes
    (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (2) authorize {
    (2) policy filter_username {
    (2) if (&User-Name) {
    (2) if (&User-Name) -> TRUE
    (2) if (&User-Name) {
    (2) if (&User-Name =~ / /) {
    (2) if (&User-Name =~ / /) -> FALSE
    (2) if (&User-Name =~ /@[^@]*@/ ) {
    (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (2) if (&User-Name =~ /\.\./ ) {
    (2) if (&User-Name =~ /\.\./ ) -> FALSE
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (2) if (&User-Name =~ /\.$/) {
    (2) if (&User-Name =~ /\.$/) -> FALSE
    (2) if (&User-Name =~ /@\./) {
    (2) if (&User-Name =~ /@\./) -> FALSE
    (2) } # if (&User-Name) = notfound
    (2) } # policy filter_username = notfound
    (2) [preprocess] = ok
    (2) [chap] = noop
    (2) [mschap] = noop
    (2) [digest] = noop
    (2) suffix: Checking for suffix after “@”
    (2) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (2) suffix: Found realm “domain.com”
    (2) suffix: Adding Stripped-User-Name = “user”
    (2) suffix: Adding Realm = “domain.com”
    (2) suffix: Authentication realm is LOCAL
    (2) [suffix] = ok
    (2) eap: Peer sent EAP Response (code 2) ID 205 length 6
    (2) eap: Continuing tunnel setup
    (2) [eap] = ok
    (2) } # authorize = ok
    (2) Found Auth-Type = eap
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) authenticate {
    (2) eap: Expiring EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Finished EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Previous EAP request found for state 0x3ad5cc8d3b18d919, released from the list
    (2) eap: Peer sent packet with method EAP TTLS (21)
    (2) eap: Calling submodule eap_ttls to process data
    (2) eap_ttls: Authenticate
    (2) eap_ttls: Continuing EAP-TLS
    (2) eap_ttls: Peer ACKed our handshake fragment
    (2) eap_ttls: [eaptls verify] = request
    (2) eap_ttls: [eaptls process] = handled
    (2) eap: Sending EAP Request (code 1) ID 206 length 231
    (2) eap: EAP session adding &reply:State = 0x3ad5cc8d381bd919
    (2) [eap] = handled
    (2) } # authenticate = handled
    (2) Using Post-Auth-Type Challenge
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) Challenge { … } # empty sub-section is ignored
    (2) Sent Access-Challenge Id 37 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (2) EAP-Message = 0x01ce00e71580000004bfbf424d0a0d365eae2bfc4e485a164843e5c79d3264931ae8ee1cec646bf6fc073ce0f1fb1914af8487a4bd7a4d24ceed9b63bdf84f5ebe25815289ff08e75e14c94b1c73fb0088626988121ffcf2b66737c9f421d17d4a750447e6b41d0f473dc9f097cecb57b0c550e7741a4e
    (2) Message-Authenticator = 0x00000000000000000000000000000000
    (2) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (2) Finished request
    Waking up in 4.9 seconds.
    (3) Received Access-Request Id 38 from 172.16.1.25:56448 to 172.16.1.14:1812 length 387
    (3) User-Name = “[email protected]
    (3) NAS-IP-Address = 172.16.1.25
    (3) NAS-Identifier = “029fc26eac66”
    (3) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (3) NAS-Port-Type = Wireless-802.11
    (3) Service-Type = Framed-User
    (3) Calling-Station-Id = “98-AF-65-08-37-02”
    (3) Connect-Info = “CONNECT 0Mbps 802.11b”
    (3) Acct-Session-Id = “37C8289B8D2F7CA7”
    (3) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (3) WLAN-Pairwise-Cipher = 1027076
    (3) WLAN-Group-Cipher = 1027076
    (3) WLAN-AKM-Suite = 1027073
    (3) WLAN-Group-Mgmt-Cipher = 1027078
    (3) Framed-MTU = 1400
    (3) EAP-Message = 0x02ce008815800000007e160303004610000042410420b898065746e53f921b7a2adf25d1b9f2e8845c3a76fd67531bb999a6577ed53aa429f635dde53c290ab85afc15d8dab90c35180e3447fa9a37ea22434c8f7314030300010116030300280000000000000000c1981ae5120f9fd048d6e155c74693
    (3) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (3) Message-Authenticator = 0x23fc4a0fa143997f21fd295f3f12c4a9
    (3) session-state: No cached attributes
    (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (3) authorize {
    (3) policy filter_username {
    (3) if (&User-Name) {
    (3) if (&User-Name) -> TRUE
    (3) if (&User-Name) {
    (3) if (&User-Name =~ / /) {
    (3) if (&User-Name =~ / /) -> FALSE
    (3) if (&User-Name =~ /@[^@]*@/ ) {
    (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (3) if (&User-Name =~ /\.\./ ) {
    (3) if (&User-Name =~ /\.\./ ) -> FALSE
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (3) if (&User-Name =~ /\.$/) {
    (3) if (&User-Name =~ /\.$/) -> FALSE
    (3) if (&User-Name =~ /@\./) {
    (3) if (&User-Name =~ /@\./) -> FALSE
    (3) } # if (&User-Name) = notfound
    (3) } # policy filter_username = notfound
    (3) [preprocess] = ok
    (3) [chap] = noop
    (3) [mschap] = noop
    (3) [digest] = noop
    (3) suffix: Checking for suffix after “@”
    (3) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (3) suffix: Found realm “domain.com”
    (3) suffix: Adding Stripped-User-Name = “user”
    (3) suffix: Adding Realm = “domain.com”
    (3) suffix: Authentication realm is LOCAL
    (3) [suffix] = ok
    (3) eap: Peer sent EAP Response (code 2) ID 206 length 136
    (3) eap: Continuing tunnel setup
    (3) [eap] = ok
    (3) } # authorize = ok
    (3) Found Auth-Type = eap
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) authenticate {
    (3) eap: Expiring EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Finished EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Previous EAP request found for state 0x3ad5cc8d381bd919, released from the list
    (3) eap: Peer sent packet with method EAP TTLS (21)
    (3) eap: Calling submodule eap_ttls to process data
    (3) eap_ttls: Authenticate
    (3) eap_ttls: Continuing EAP-TLS
    (3) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
    (3) eap_ttls: Got complete TLS record (126 bytes)
    (3) eap_ttls: [eaptls verify] = length included
    (3) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (3) eap_ttls: <<< recv TLS 1.2 [length 0046]
    (3) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
    (3) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
    (3) eap_ttls: <<>> send TLS 1.2 [length 0001]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
    (3) eap_ttls: >>> send TLS 1.2 [length 0010]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write finished
    (3) eap_ttls: (other): SSL negotiation finished successfully
    (3) eap_ttls: SSL Connection Established
    (3) eap_ttls: [eaptls process] = handled
    (3) eap: Sending EAP Request (code 1) ID 207 length 61
    (3) eap: EAP session adding &reply:State = 0x3ad5cc8d391ad919
    (3) [eap] = handled
    (3) } # authenticate = handled
    (3) Using Post-Auth-Type Challenge
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) Challenge { … } # empty sub-section is ignored
    (3) Sent Access-Challenge Id 38 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (3) EAP-Message = 0x01cf003d1580000000331403030001011603030028a84720c979cd4ada6e5d4015a41131f1cb2e44988c2070504509e7f15c19e598cff3b557f231747e
    (3) Message-Authenticator = 0x00000000000000000000000000000000
    (3) State = 0x3ad5cc8d391ad919bf2f4b6dd6a06ef4
    (3) Finished request
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 35 with timestamp +27
    (1) Cleaning up request packet ID 36 with timestamp +27
    (2) Cleaning up request packet ID 37 with timestamp +27
    (3) Cleaning up request packet ID 38 with timestamp +27

  12. Glenn says:

    Is there a way to restrict authentications to a particular OU in Google Workspace?

  13. Wade Gibson says:

    Thank you for this tutorial! I set up FreeRadius on an Ubunutu 20.04 LTS server and my MacOS 11.6 Big Sur, iPad, and iPhone all connect without any additional configuration needed. I have tried numerous times to get a Windows 10 laptop and a Chromebook to connect, but I can’t seem to get either one to work. The Chromebook gave a fair amount of options, as far as being able to manually select EAP-TTLS/GTC and Do Not Check Server CA Certificate, so I thought I’d be able to get it online but it always says “Authentication Certificate Rejected Locally.” I’m hopeful that someone can get a combination of settings that will work. Thanks!

    1. Yes, now Windows 10 does not work with private CA certificates like the ones in this FreeRADIUS install. Previously it used to prompt, not any more. The solution would be to use certificates from a well-known CA. I haven’t tried this yet.

Leave a Reply to Glenn Cancel reply

Your email address will not be published. Required fields are marked *