FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi

This post documents the process of integrating FreeRADIUS with Google G Suite (now Workspace) using Secure LDAP. FreeRADIUS will be used to authenticate Ubiquiti Unifi WPA2 Enterprise WiFi users. The configurations presented here are taken from this wonderful repository. While the repo uses Docker, we will be implementing these settings in FreeRADIUS directly. These settings were tested on Debian 10.

First, follow steps 1-3 given in Google’s support article and also generate access credentials. At the end of these steps, you’ll have a certificate and key along with your access credentials.

Then, install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:

/etc/freeradius/3.0/certs/

Rename those files to:

ldap-client.crt
ldap-client.key

Next, use a text editor like nano to edit /etc/freeradius/3.0/clients.conf:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace 192.168.1.0/24 with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          = 192.168.1.0/24
       secret          = testing123
}

Use Ctrl + X to save and exit.

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In authorize section after pap add this:

        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }

In authenticate section:

authenticate {
        Auth-Type PAP {
                ldap
        }

Uncomment ldap:

#       Auth-Type LDAP {
                ldap
#       }

Save and exit.

The same changes need to be done in /etc/freeradius/3.0/sites-enabled/inner-tunnel to edit the inner-tunnel virtual server.

After that execute the following commands as root to enable ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

server = 'ldaps://ldap.google.com'
port = 636

Enter your access credentials here:

identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In tls section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

Save and exit.

Next, set up the eap module:

nano /etc/freeradius/3.0/mods-enabled/eap

In eap section:

default_eap_type = ttls

In ttls section:

default_eap_type = gtc

Save and exit. Finally, set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm example.com {

}

Save and exit.

Use the following command to restart FreeRADIUS service for new settings to take effect:

systemctl restart freeradius.service

FreeRADIUS settings are now complete. On the Unifi Controller, go to Settings -> Wireless Networks and either create a new wireless network or edit an existing network. In Security select WPA Enterprise:

It will require a RADIUS Profile to be specified. Click on “Create new RADIUS profile”. Enter a name for the profile and specify the IP address of your RADIUS server and its shared secret (created earlier).

Save the changes made to RADIUS profile and Wireless network.

To setup a mobile client to connect to this network enter your G-Suite Username and password like this:

Note: Users are free to enter only their User ID or complete email address in <UserID>@example.com format. It should work either way.

In case of an error, make sure the EAP method is TTLS. For Phase 2 or inner tunnel use either GTC or None. Some devices will auto-detect these settings but on some devices you might need to select them manually.

Generating Certificates for Windows Clients

For authenticating Windows clients we need to generate CA and server certificates on FreeRADIUS and install them on client machines. FreeRADIUS provides helpful scripts for generating certificates.

To generate a self-signed CA certificate (which is what is recommended for RADIUS deployments), open the CA configuration file:

nano /etc/freeradius/3.0/certs/ca.cnf

In CA_default section increase the number of days so that the certificate will be valid for a long time (10 years in this case):

default_days            = 3650

In req section change the input_password and output_password from their default values:

input_password          = tj367tHXVK
output_password         = tj367tHXVK

In certificate_authority section enter your organization’s information:

countryName             = US
stateOrProvinceName     = FL
localityName            = Miami
organizationName        = NPO Systems
emailAddress            = [email protected]
commonName              = "NPO Certificate Authority"

Save and exit.

Run the following commands to generate CA certificates:

make ca.pem
make ca.der

Next generate server certificate by following the same procedure:

nano /etc/freeradius/3.0/certs/server.cnf

Change default_days to a large value, input_password and output_password from their default values and enter your organization’s information in server section. Make sure the commonName entered here is different from the one entered in ca.cnf:

default_days            = 3650

input_password          = tj367tHXVK
output_password         = tj367tHXVK

[server]
countryName             = US
stateOrProvinceName     = FL
localityName            = Miami
organizationName        = NPO Systems
emailAddress            = [email protected]
commonName              = "NPO Systems Server Certificate"

Save and exit.

Generate server certificate by running this command:

make server.pem

Ensure generated files have the right ownership:

chown freerad:freerad /etc/freeradius/3.0/certs/*

Add the paths of newly generated certificates in eap configuration file:

nano /etc/freeradius/3.0/mods-enabled/eap

In tls-config tls-common section add the following values:

private_key_password = tj367tHXVK
private_key_file = /etc/freeradius/3.0/certs/server.pem
certificate_file = /etc/freeradius/3.0/certs/server.pem
ca_file = /etc/freeradius/3.0/certs/ca.pem

Save and exit.

Restart FreeRADIUS service:

systemctl restart freeradius

Installing Certificates on Client Machines

Windows

Download ca.pem and ca.der certificates from /etc/freeradius/3.0/certs/ and distribute to your clients. On a Windows client, ca.der certificate can be installed by double-clicking on it and following the installation wizard:

Place the certificate in Trusted Root Certification Authorities store:

After completing the wizard, accept the security warning:

Connect to the WiFi by entering your username and password. If it shows you the certificate information click on Connect to continue:

Ubuntu

The CA certificate in pem format needs to be converted to crt format. It can be done by executing this command:

openssl x509 -outform der -in ca.pem -out ca.crt

Download ca.crt file and put it in /usr/local/share/ca-certificates/ directory on the client machine. Then, install the certificate:

sudo update-ca-certificates

Connect to WiFi by selecting Authentication Tunneled TLS, Inner authentication GTC and entering your username and password:

Troubleshooting

In case of any issues troubleshoot FreeRADIUS by first stopping its service:

systemctl stop freeradius.service

After that start it in debug mode:

freeradius -X

Follow the debug output to troubleshoot further.

References

Unifi FreeRADIUS on Docker with Google Secure LDAP

FreeRADIUS Production SSL Certificates

91 responses to “FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi”

  1. Thomas

    Hello Nasir,
    thanks for your post, that really fills a gap. Up to now I just found solutions with subject to charge.
    Do you think/know, if your solution also works with the FreeRADIUS-Server in pfsense (https://www.pfsense.org/)? This might open a variety of further options, besides WPA Enterprise, for pppoe, pptp and further more.
    Warm regards,
    Thomas

    1. Hi Thomas,

      Thanks for your feedback. I did try this on pfSense as a matter of fact. I was able to get it working successfully by getting into the command line and modifying FreeRADIUS files manually, but the problem I faced was that all the modifications that I did were lost when the pfSense was rebooted.

      1. Thomas

        Hi Nasir,

        have you tested the following way?
        https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html
        It seems they have updated the docs on Sep. 17.

        1. Nice, this looks interesting. No I didn’t test it. Thanks for letting me know!

      2. salvolb

        I am able to configure Google LDAP and Freeradius but the changes are lost when pfSense is restarted.
        Has anyone found the solution?

        1. Only changes stored in pfSense’s XML file are kept, so you need to ensure that the XML is updated.

  2. Matthew

    Hi Nasir,
    thank you very much for your post. Have you had trouble connecting Windows client devices to the WiFi network? What settings did you use on the client side?
    Thanks

    1. Hello,

      No not at all. I tested it with Windows 10, didn’t need any special settings. Just selected WiFi, entered username and password, and accepted the certificate warning. It worked seamlessly!

      1. Matthew

        How strange. In my case there is no way I can authenticate a Windows client. There are no problems with Android.

    2. Chris C

      Matthew-
      I am seeing the same issue with Windows 10 client PCs.
      FreeRadius fails to authenticate because of the client using MS-CHAPv2.
      WARNING: No Cleartext-Password configured. Cannot create NT-Password
      Creating challenge hash with username: ccarr
      Client is using MS-CHAPv2
      ERROR: FAILED: No NT-Password. Cannot perform authentication
      ERROR: MS-CHAP2-Response is incorrect

      NOTE I am using HP Aruba access points

      1. Cesar

        I have the same issue with WIN 10 users

        1. You need to setup CA certificates as given in FreeRADIUS documentation and import them into the Windows machines. I did try it and it works fine.

        2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  3. Gevanni

    Hi Nassir,

    I have everything configured but when connecting a client with macOS it does not allow me, do you know if I need a profile or certificate?

    Thank you.

    1. Hello,

      I tested it with an iPad and didn’t face any issues on that. Didn’t test it with a MacOS client.

  4. Geovanni

    Hi, Nassir

    What version unifi controller use?
    I have 6.0.43.0 version

    1. I think it was 6.0.36 perhaps.

  5. Christian Bednarz

    Dear Nasir. Thanks for your guide. However, would this also work for VPN via Ubiqi and Google LDAP authentication? Best regards.

    1. I think it should.

      1. Sebastian

        Nice guide, it works just fine for me. Where you able to make it work for the VPN connection? I did run into an error, not sure if its worth investing time here.

        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
        (0) mschap: Creating challenge hash with username: …
        (0) mschap: Client is using MS-CHAPv2
        (0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
        (0) mschap: ERROR: MS-CHAP2-Response is incorrect

  6. Hello Nasir,

    you saved my day. That guide was incredible and easy to read. Thanks a lot for your time. Really appreciate your work. Could configure all in two hours for my corporate network and will turn off old LDAP custom setup next week.

    Greetings,. Thomas

    1. Thanks Thomas,

      Glad to help!

  7. Matt Richey

    Hello. I keep getting stuck when trying to restart the service. When I try to run that command, it returns with: Job for freeradius.service failed because the control process exited with error code. I’m not great in terminal, but I think I can get by. Any ideas as to what might be causing this?

    1. Please use freeradius -X to troubleshoot

    2. Chris C

      Hi Matt.
      I started getting the same issue – attempting to start FreeRadius using SystemD fails with an error but running the process manually works fine # /sbin/radiusd -X -d /etc/raddb

  8. Syahwanius

    Hello Nasir. i already follows all the step and not getting error while debugging using freeradius -X, but when user connect i got some errors on /var/log/freeradius/radius.log :

    Error: (5) Ignoring duplicate packet from client LDAP port 33030 – ID: 6 due to unfinished request in component authenticate module eap_ttls
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21

    and the user can’t connect to the wifi, any idea?

  9. Nick

    Hey Nasir,
    I just want to say thank you for this article. I’ve revisited this a few times trying to get this to work and spent entirely too many hours on it over the last few years without any luck. I was able to get this up and running with your directions quickly and easily.

  10. Marion Bates

    Hi Nasir,

    I am trying to adapt these instructions to Centos 7. When I start radiusd, I see these messages:

    May 03 11:08:21 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..

    Do you know what this means or how to fix? Thank you very much! — MB

  11. Glenn

    IOS, MacOS and Android clients connect fine. Windows and ChromeOS are having difficulty connecting. Here is the output of freeradius -X when a Windows client attempts to connect:
    (0) Received Access-Request Id 35 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (0) User-Name = “[email protected]
    (0) NAS-IP-Address = 172.16.1.25
    (0) NAS-Identifier = “029fc26eac66”
    (0) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (0) NAS-Port-Type = Wireless-802.11
    (0) Service-Type = Framed-User
    (0) Calling-Station-Id = “98-AF-65-08-37-02”
    (0) Connect-Info = “CONNECT 0Mbps 802.11b”
    (0) Acct-Session-Id = “37C8289B8D2F7CA7”
    (0) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (0) WLAN-Pairwise-Cipher = 1027076
    (0) WLAN-Group-Cipher = 1027076
    (0) WLAN-AKM-Suite = 1027073
    (0) WLAN-Group-Mgmt-Cipher = 1027078
    (0) Framed-MTU = 1400
    (0) EAP-Message = 0x02cb001801676c61676d616e40686161737063732e6e6574
    (0) Message-Authenticator = 0x4764f2541db94b493f83688530a2ecb4
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (0) authorize {
    (0) policy filter_username {
    (0) if (&User-Name) {
    (0) if (&User-Name) -> TRUE
    (0) if (&User-Name) {
    (0) if (&User-Name =~ / /) {
    (0) if (&User-Name =~ / /) -> FALSE
    (0) if (&User-Name =~ /@[^@]*@/ ) {
    (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (0) if (&User-Name =~ /\.\./ ) {
    (0) if (&User-Name =~ /\.\./ ) -> FALSE
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (0) if (&User-Name =~ /\.$/) {
    (0) if (&User-Name =~ /\.$/) -> FALSE
    (0) if (&User-Name =~ /@\./) {
    (0) if (&User-Name =~ /@\./) -> FALSE
    (0) } # if (&User-Name) = notfound
    (0) } # policy filter_username = notfound
    (0) [preprocess] = ok
    (0) [chap] = noop
    (0) [mschap] = noop
    (0) [digest] = noop
    (0) suffix: Checking for suffix after “@”
    (0) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (0) suffix: Found realm “domain.com”
    (0) suffix: Adding Stripped-User-Name = “user”
    (0) suffix: Adding Realm = “domain.com”
    (0) suffix: Authentication realm is LOCAL
    (0) [suffix] = ok
    (0) eap: Peer sent EAP Response (code 2) ID 203 length 24
    (0) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
    (0) [eap] = ok
    (0) } # authorize = ok
    (0) Found Auth-Type = eap
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) authenticate {
    (0) eap: Peer sent packet with method EAP Identity (1)
    (0) eap: Calling submodule eap_ttls to process data
    (0) eap_ttls: Initiating new EAP-TLS session
    (0) eap_ttls: [eaptls start] = request
    (0) eap: Sending EAP Request (code 1) ID 204 length 6
    (0) eap: EAP session adding &reply:State = 0x3ad5cc8d3a19d919
    (0) [eap] = handled
    (0) } # authenticate = handled
    (0) Using Post-Auth-Type Challenge
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) Challenge { … } # empty sub-section is ignored
    (0) Sent Access-Challenge Id 35 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (0) EAP-Message = 0x01cc00061520
    (0) Message-Authenticator = 0x00000000000000000000000000000000
    (0) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (0) Finished request
    Waking up in 4.9 seconds.
    (1) Received Access-Request Id 36 from 172.16.1.25:56448 to 172.16.1.14:1812 length 414
    (1) User-Name = “[email protected]
    (1) NAS-IP-Address = 172.16.1.25
    (1) NAS-Identifier = “029fc26eac66”
    (1) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (1) NAS-Port-Type = Wireless-802.11
    (1) Service-Type = Framed-User
    (1) Calling-Station-Id = “98-AF-65-08-37-02”
    (1) Connect-Info = “CONNECT 0Mbps 802.11b”
    (1) Acct-Session-Id = “37C8289B8D2F7CA7”
    (1) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (1) WLAN-Pairwise-Cipher = 1027076
    (1) WLAN-Group-Cipher = 1027076
    (1) WLAN-AKM-Suite = 1027073
    (1) WLAN-Group-Mgmt-Cipher = 1027078
    (1) Framed-MTU = 1400
    (1) EAP-Message = 0x02cc00a3158000000099160303009401000090030360f5daec9dc706e59810cf61b9f713636d14b8764b444df9cc63ff348150673c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b000201
    (1) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (1) Message-Authenticator = 0x5cba8405dd0258e2367d3b93063ce239
    (1) session-state: No cached attributes
    (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (1) authorize {
    (1) policy filter_username {
    (1) if (&User-Name) {
    (1) if (&User-Name) -> TRUE
    (1) if (&User-Name) {
    (1) if (&User-Name =~ / /) {
    (1) if (&User-Name =~ / /) -> FALSE
    (1) if (&User-Name =~ /@[^@]*@/ ) {
    (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (1) if (&User-Name =~ /\.\./ ) {
    (1) if (&User-Name =~ /\.\./ ) -> FALSE
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (1) if (&User-Name =~ /\.$/) {
    (1) if (&User-Name =~ /\.$/) -> FALSE
    (1) if (&User-Name =~ /@\./) {
    (1) if (&User-Name =~ /@\./) -> FALSE
    (1) } # if (&User-Name) = notfound
    (1) } # policy filter_username = notfound
    (1) [preprocess] = ok
    (1) [chap] = noop
    (1) [mschap] = noop
    (1) [digest] = noop
    (1) suffix: Checking for suffix after “@”
    (1) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (1) suffix: Found realm “domain.com”
    (1) suffix: Adding Stripped-User-Name = “user”
    (1) suffix: Adding Realm = “domain.com”
    (1) suffix: Authentication realm is LOCAL
    (1) [suffix] = ok
    (1) eap: Peer sent EAP Response (code 2) ID 204 length 163
    (1) eap: Continuing tunnel setup
    (1) [eap] = ok
    (1) } # authorize = ok
    (1) Found Auth-Type = eap
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) authenticate {
    (1) eap: Expiring EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Finished EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Previous EAP request found for state 0x3ad5cc8d3a19d919, released from the list
    (1) eap: Peer sent packet with method EAP TTLS (21)
    (1) eap: Calling submodule eap_ttls to process data
    (1) eap_ttls: Authenticate
    (1) eap_ttls: Continuing EAP-TLS
    (1) eap_ttls: Peer indicated complete TLS record size will be 153 bytes
    (1) eap_ttls: Got complete TLS record (153 bytes)
    (1) eap_ttls: [eaptls verify] = length included
    (1) eap_ttls: (other): before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: <<>> send TLS 1.2 [length 003d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
    (1) eap_ttls: >>> send TLS 1.2 [length 031d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
    (1) eap_ttls: >>> send TLS 1.2 [length 014d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
    (1) eap_ttls: >>> send TLS 1.2 [length 0004]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
    (1) eap_ttls: In SSL Handshake Phase
    (1) eap_ttls: In SSL Accept mode
    (1) eap_ttls: [eaptls process] = handled
    (1) eap: Sending EAP Request (code 1) ID 205 length 1004
    (1) eap: EAP session adding &reply:State = 0x3ad5cc8d3b18d919
    (1) [eap] = handled
    (1) } # authenticate = handled
    (1) Using Post-Auth-Type Challenge
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) Challenge { … } # empty sub-section is ignored
    (1) Sent Access-Challenge Id 36 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (1) EAP-Message = 0x01cd03ec15c0000004bf160303003d0200003903038895826d02916cc4f4d7eebd23e8c6dfb507512051db2e88444f574e4752440100c030000011ff01000100000b00040300010200170000160303031d0b0003190003160003133082030f308201f7a00302010202140093bdec6d7accbcea599f3d61
    (1) Message-Authenticator = 0x00000000000000000000000000000000
    (1) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (1) Finished request
    Waking up in 4.9 seconds.
    (2) Received Access-Request Id 37 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (2) User-Name = “[email protected]
    (2) NAS-IP-Address = 172.16.1.25
    (2) NAS-Identifier = “029fc26eac66”
    (2) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (2) NAS-Port-Type = Wireless-802.11
    (2) Service-Type = Framed-User
    (2) Calling-Station-Id = “98-AF-65-08-37-02”
    (2) Connect-Info = “CONNECT 0Mbps 802.11b”
    (2) Acct-Session-Id = “37C8289B8D2F7CA7”
    (2) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (2) WLAN-Pairwise-Cipher = 1027076
    (2) WLAN-Group-Cipher = 1027076
    (2) WLAN-AKM-Suite = 1027073
    (2) WLAN-Group-Mgmt-Cipher = 1027078
    (2) Framed-MTU = 1400
    (2) EAP-Message = 0x02cd00061500
    (2) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (2) Message-Authenticator = 0x234375bee42a3c192ca7d6a9aba0c316
    (2) session-state: No cached attributes
    (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (2) authorize {
    (2) policy filter_username {
    (2) if (&User-Name) {
    (2) if (&User-Name) -> TRUE
    (2) if (&User-Name) {
    (2) if (&User-Name =~ / /) {
    (2) if (&User-Name =~ / /) -> FALSE
    (2) if (&User-Name =~ /@[^@]*@/ ) {
    (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (2) if (&User-Name =~ /\.\./ ) {
    (2) if (&User-Name =~ /\.\./ ) -> FALSE
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (2) if (&User-Name =~ /\.$/) {
    (2) if (&User-Name =~ /\.$/) -> FALSE
    (2) if (&User-Name =~ /@\./) {
    (2) if (&User-Name =~ /@\./) -> FALSE
    (2) } # if (&User-Name) = notfound
    (2) } # policy filter_username = notfound
    (2) [preprocess] = ok
    (2) [chap] = noop
    (2) [mschap] = noop
    (2) [digest] = noop
    (2) suffix: Checking for suffix after “@”
    (2) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (2) suffix: Found realm “domain.com”
    (2) suffix: Adding Stripped-User-Name = “user”
    (2) suffix: Adding Realm = “domain.com”
    (2) suffix: Authentication realm is LOCAL
    (2) [suffix] = ok
    (2) eap: Peer sent EAP Response (code 2) ID 205 length 6
    (2) eap: Continuing tunnel setup
    (2) [eap] = ok
    (2) } # authorize = ok
    (2) Found Auth-Type = eap
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) authenticate {
    (2) eap: Expiring EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Finished EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Previous EAP request found for state 0x3ad5cc8d3b18d919, released from the list
    (2) eap: Peer sent packet with method EAP TTLS (21)
    (2) eap: Calling submodule eap_ttls to process data
    (2) eap_ttls: Authenticate
    (2) eap_ttls: Continuing EAP-TLS
    (2) eap_ttls: Peer ACKed our handshake fragment
    (2) eap_ttls: [eaptls verify] = request
    (2) eap_ttls: [eaptls process] = handled
    (2) eap: Sending EAP Request (code 1) ID 206 length 231
    (2) eap: EAP session adding &reply:State = 0x3ad5cc8d381bd919
    (2) [eap] = handled
    (2) } # authenticate = handled
    (2) Using Post-Auth-Type Challenge
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) Challenge { … } # empty sub-section is ignored
    (2) Sent Access-Challenge Id 37 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (2) EAP-Message = 0x01ce00e71580000004bfbf424d0a0d365eae2bfc4e485a164843e5c79d3264931ae8ee1cec646bf6fc073ce0f1fb1914af8487a4bd7a4d24ceed9b63bdf84f5ebe25815289ff08e75e14c94b1c73fb0088626988121ffcf2b66737c9f421d17d4a750447e6b41d0f473dc9f097cecb57b0c550e7741a4e
    (2) Message-Authenticator = 0x00000000000000000000000000000000
    (2) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (2) Finished request
    Waking up in 4.9 seconds.
    (3) Received Access-Request Id 38 from 172.16.1.25:56448 to 172.16.1.14:1812 length 387
    (3) User-Name = “[email protected]
    (3) NAS-IP-Address = 172.16.1.25
    (3) NAS-Identifier = “029fc26eac66”
    (3) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (3) NAS-Port-Type = Wireless-802.11
    (3) Service-Type = Framed-User
    (3) Calling-Station-Id = “98-AF-65-08-37-02”
    (3) Connect-Info = “CONNECT 0Mbps 802.11b”
    (3) Acct-Session-Id = “37C8289B8D2F7CA7”
    (3) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (3) WLAN-Pairwise-Cipher = 1027076
    (3) WLAN-Group-Cipher = 1027076
    (3) WLAN-AKM-Suite = 1027073
    (3) WLAN-Group-Mgmt-Cipher = 1027078
    (3) Framed-MTU = 1400
    (3) EAP-Message = 0x02ce008815800000007e160303004610000042410420b898065746e53f921b7a2adf25d1b9f2e8845c3a76fd67531bb999a6577ed53aa429f635dde53c290ab85afc15d8dab90c35180e3447fa9a37ea22434c8f7314030300010116030300280000000000000000c1981ae5120f9fd048d6e155c74693
    (3) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (3) Message-Authenticator = 0x23fc4a0fa143997f21fd295f3f12c4a9
    (3) session-state: No cached attributes
    (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (3) authorize {
    (3) policy filter_username {
    (3) if (&User-Name) {
    (3) if (&User-Name) -> TRUE
    (3) if (&User-Name) {
    (3) if (&User-Name =~ / /) {
    (3) if (&User-Name =~ / /) -> FALSE
    (3) if (&User-Name =~ /@[^@]*@/ ) {
    (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (3) if (&User-Name =~ /\.\./ ) {
    (3) if (&User-Name =~ /\.\./ ) -> FALSE
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (3) if (&User-Name =~ /\.$/) {
    (3) if (&User-Name =~ /\.$/) -> FALSE
    (3) if (&User-Name =~ /@\./) {
    (3) if (&User-Name =~ /@\./) -> FALSE
    (3) } # if (&User-Name) = notfound
    (3) } # policy filter_username = notfound
    (3) [preprocess] = ok
    (3) [chap] = noop
    (3) [mschap] = noop
    (3) [digest] = noop
    (3) suffix: Checking for suffix after “@”
    (3) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (3) suffix: Found realm “domain.com”
    (3) suffix: Adding Stripped-User-Name = “user”
    (3) suffix: Adding Realm = “domain.com”
    (3) suffix: Authentication realm is LOCAL
    (3) [suffix] = ok
    (3) eap: Peer sent EAP Response (code 2) ID 206 length 136
    (3) eap: Continuing tunnel setup
    (3) [eap] = ok
    (3) } # authorize = ok
    (3) Found Auth-Type = eap
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) authenticate {
    (3) eap: Expiring EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Finished EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Previous EAP request found for state 0x3ad5cc8d381bd919, released from the list
    (3) eap: Peer sent packet with method EAP TTLS (21)
    (3) eap: Calling submodule eap_ttls to process data
    (3) eap_ttls: Authenticate
    (3) eap_ttls: Continuing EAP-TLS
    (3) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
    (3) eap_ttls: Got complete TLS record (126 bytes)
    (3) eap_ttls: [eaptls verify] = length included
    (3) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (3) eap_ttls: <<< recv TLS 1.2 [length 0046]
    (3) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
    (3) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
    (3) eap_ttls: <<>> send TLS 1.2 [length 0001]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
    (3) eap_ttls: >>> send TLS 1.2 [length 0010]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write finished
    (3) eap_ttls: (other): SSL negotiation finished successfully
    (3) eap_ttls: SSL Connection Established
    (3) eap_ttls: [eaptls process] = handled
    (3) eap: Sending EAP Request (code 1) ID 207 length 61
    (3) eap: EAP session adding &reply:State = 0x3ad5cc8d391ad919
    (3) [eap] = handled
    (3) } # authenticate = handled
    (3) Using Post-Auth-Type Challenge
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) Challenge { … } # empty sub-section is ignored
    (3) Sent Access-Challenge Id 38 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (3) EAP-Message = 0x01cf003d1580000000331403030001011603030028a84720c979cd4ada6e5d4015a41131f1cb2e44988c2070504509e7f15c19e598cff3b557f231747e
    (3) Message-Authenticator = 0x00000000000000000000000000000000
    (3) State = 0x3ad5cc8d391ad919bf2f4b6dd6a06ef4
    (3) Finished request
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 35 with timestamp +27
    (1) Cleaning up request packet ID 36 with timestamp +27
    (2) Cleaning up request packet ID 37 with timestamp +27
    (3) Cleaning up request packet ID 38 with timestamp +27

  12. Glenn

    Is there a way to restrict authentications to a particular OU in Google Workspace?

  13. Wade Gibson

    Thank you for this tutorial! I set up FreeRadius on an Ubunutu 20.04 LTS server and my MacOS 11.6 Big Sur, iPad, and iPhone all connect without any additional configuration needed. I have tried numerous times to get a Windows 10 laptop and a Chromebook to connect, but I can’t seem to get either one to work. The Chromebook gave a fair amount of options, as far as being able to manually select EAP-TTLS/GTC and Do Not Check Server CA Certificate, so I thought I’d be able to get it online but it always says “Authentication Certificate Rejected Locally.” I’m hopeful that someone can get a combination of settings that will work. Thanks!

    1. Yes, now Windows 10 does not work with private CA certificates like the ones in this FreeRADIUS install. Previously it used to prompt, not any more. The solution would be to use certificates from a well-known CA. I haven’t tried this yet.

  14. Vidas

    Great post. I have the same setup in Ruckus and might have to do it with Unifi as well, so good to know there’s somewhat of a cheat-sheet in case things go south.. My question is – is it possible to add Google’s 2FA to this? I only saw examples with OpenLDAP and AD, wonder if it’s the same with GSuite..
    thanks!

    1. I haven’t tried that.

    2. Joshua

      Hi Vidas, you mentioned having the same setup in Rukus so I am wondering if you have the same authentication setup (Google Secure LDAP) working with Ruckus Zone Director?

      1. It’s based on RADIUS so it should work with Ruckus and other vendors as well.

  15. Matheos

    Hello Nasir,
    After configuring the files, FreeRadius does not start anymore and i get the following error.
    Thanks in advance.

    The process’ exit code is ‘exited’ and its exit status is 1.
    Feb 27 22:06:46 raspberrypi systemd[1]: freeradius.service: Failed with result ‘
    — Subject: Unit failed
    — Defined-By: systemd
    — Support: https://www.debian.org/support

    — The unit freeradius.service has entered the ‘failed’ state with result ‘exit-
    Feb 27 22:06:46 raspberrypi systemd[1]: Failed to start FreeRADIUS multi-protoco
    — Subject: A start job for unit freeradius.service has failed

    1. Start it in debugging mode and use that for troubleshooting.

  16. filippo

    Hi Nasir,
    Everything’s working fine except users cannot authenticate with this username format:
    [email protected]
    but only with
    name.username

    What i am missing?

    1. It should work with both formats. Make sure your proxy.conf settings are correct.

  17. James

    I followed these instructions and am able to get all other devices to authenticate using EAP-TTLS (GTC), but I cannot for the life of me get Windows 10 to authenticate.
    Scenario: 1. I connect to the SSID
    2. Freeradius asks me to validate my credentials
    3. I am greeted with another window, “Enter Network Security Key” – to which I don’t know. Even when I use my password again, I get a “can’t connect to network” message. Any help would be greatly appreciated.

    1. Windows 10 does not work with unknown CA certificates. You can generate CA certificates using FreeRADIUS and import them in your Windows machines.

    2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  18. Michael

    Hello Nasir, any updates on windows 10 and freeradius? I have tested everything but no luck, we have google ldap in the freeradius, mac working great but not windows.

    1. Yes, I got it to work on Windows as well. I probably should have documented that in a separate blog post. It used private CA certificates generated using FreeRADIUS and imported on Windows.

      1. Michael

        That would be awesome with a document how to do it right for windows 10/11 🙂

        1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

      2. Juan Carlos

        Hi Nasir, Thank you so mach for documenting this particular scenario. By the way, did you have the chance to finish it, perhaps it was already posted in a separate blog post as you mentioned and I’ve missed it. Thanks again!

        1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  19. Aleks

    Hello Nasir.
    Any chance you could add support for ldap groups. I’ve played a lot with the configuration, but authorization based on Google LDAP groups doesn’t work for me.
    P.S
    Amy one else with the same issue ?

  20. Luis

    Hi Nasir, It’s a few months now and then I have been trying to make this work with Windows clients. I generated CA.DER with the freeradius script and imported to windows machines but still unable to connect – other apple and android machines no problem.

    I am now getting a :

    (75) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
    (75) mschap: Creating challenge hash with username: alumna.test
    (75) mschap: Client is using MS-CHAPv2
    (75) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
    (75) mschap: ERROR: MS-CHAP2-Response is incorrect

    1. Luis

      Thanks so much for you help, it is greatly appreciated.

    2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  21. This is what I am getting when I try and connect using freeradius -X debug any help is appreciated

    Ignoring request to auth address * port 1812 bound to server default from unknown client 10.10.13.74 port 57235 proto udp

  22. Don’t know what I did but a restart fixed it. I’m able to authenticate on iPads and iphones now! TY so much Nasir

  23. I also am having windows wifi authentication problems I have tried importing the cert after making one with free radius any help would be greatly appreciated!

    1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  24. Antonio

    Hi, I’m having auth problem.
    My log …
    (5) Received Access-Request Id 20 from 192.168.1.89:59681 to 192.168.1.254:1812 length 353
    (5) User-Name = “[email protected]
    (5) NAS-IP-Address = 192.168.1.89
    (5) NAS-Identifier = “TP-Link:D2-32-E5-07-AA-BA”
    (5) NAS-Port-Id = “00000001”
    (5) Called-Station-Id = “D2-32-E5-07-AA-BA:test”
    (5) NAS-Port-Type = Wireless-802.11
    (5) Event-Timestamp = “Jul 17 2022 22:02:05 UTC”
    (5) Service-Type = Framed-User
    (5) Calling-Station-Id = “24-18-1D-0C-74-C3”
    (5) Connect-Info = “CONNECT 0Mbps 802.11b”
    (5) Acct-Session-Id = “d232e507aaba-607E350E2F95A0BC”
    (5) Acct-Multi-Session-Id = “D6F6EAC41CB2D2B4”
    (5) WLAN-Pairwise-Cipher = 1027076
    (5) WLAN-Group-Cipher = 1027076
    (5) WLAN-AKM-Suite = 1027073
    (5) Framed-MTU = 1400
    (5) EAP-Message = 0x0278003b15001703030030000000000000000208d0d7f1f58df68f431ed45daf3ed427ef761981ec6dda845d83d5ed5aaf82bb9891017c2a9e7a71
    (5) State = 0xc566114cc11e045b5f3fa74c07ac15e2
    (5) Message-Authenticator = 0xd68259c94fb662a335eeb6cff9cc0a25
    (5) Restoring &session-state
    (5) &session-state:Framed-MTU = 994
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.3 Handshake, ClientHello”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerHello”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, Certificate”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerKeyExchange”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerHelloDone”
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.2 Handshake, ClientKeyExchange”
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.2 Handshake, Finished”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 ChangeCipherSpec”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, Finished”
    (5) &session-state:TLS-Session-Cipher-Suite = “ECDHE-RSA-AES128-GCM-SHA256”
    (5) &session-state:TLS-Session-Version = “TLS 1.2”
    (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (5) authorize {
    (5) policy filter_username {
    (5) if (&User-Name) {
    (5) if (&User-Name) -> TRUE
    (5) if (&User-Name) {
    (5) if (&User-Name =~ / /) {
    (5) if (&User-Name =~ / /) -> FALSE
    (5) if (&User-Name =~ /@[^@]*@/ ) {
    (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (5) if (&User-Name =~ /\.\./ ) {
    (5) if (&User-Name =~ /\.\./ ) -> FALSE
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (5) if (&User-Name =~ /\.$/) {
    (5) if (&User-Name =~ /\.$/) -> FALSE
    (5) if (&User-Name =~ /@\./) {
    (5) if (&User-Name =~ /@\./) -> FALSE
    (5) } # if (&User-Name) = notfound
    (5) } # policy filter_username = notfound
    (5) [preprocess] = ok
    (5) [digest] = noop
    (5) suffix: Checking for suffix after “@”
    (5) suffix: Looking up realm “iissgarrone.edu.it” for User-Name = “[email protected]
    (5) suffix: Found realm “iissgarrone.edu.it”
    (5) suffix: Adding Stripped-User-Name = “antoniocangiano”
    (5) suffix: Adding Realm = “iissgarrone.edu.it”
    (5) suffix: Authentication realm is LOCAL
    (5) [suffix] = ok
    (5) eap: Peer sent EAP Response (code 2) ID 120 length 59
    (5) eap: Continuing tunnel setup
    (5) [eap] = ok
    (5) } # authorize = ok
    (5) Found Auth-Type = eap
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5) authenticate {
    (5) eap: Expiring EAP session with state 0x787ebb25787fbd70
    (5) eap: Finished EAP session with state 0xc566114cc11e045b
    (5) eap: Previous EAP request found for state 0xc566114cc11e045b, released from the list
    (5) eap: Peer sent packet with method EAP TTLS (21)
    (5) eap: Calling submodule eap_ttls to process data
    (5) eap_ttls: Authenticate
    (5) eap_ttls: (TLS) EAP Done initial handshake
    (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
    (5) eap_ttls: Got tunneled request
    (5) eap_ttls: EAP-Message = 0x0201000e06476172726f6e653232
    (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
    (5) eap_ttls: Sending tunneled request
    (5) Virtual server inner-tunnel received request
    (5) EAP-Message = 0x0201000e06476172726f6e653232
    (5) FreeRADIUS-Proxied-To = 127.0.0.1
    (5) User-Name = “[email protected]
    (5) State = 0x787ebb25787fbd708b134ef9ad80f37c
    (5) WARNING: Outer and inner identities are the same. User privacy is compromised.
    (5) server inner-tunnel {
    (5) session-state: No cached attributes
    (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) authorize {
    (5) policy filter_username {
    (5) if (&User-Name) {
    (5) if (&User-Name) -> TRUE
    (5) if (&User-Name) {
    (5) if (&User-Name =~ / /) {
    (5) if (&User-Name =~ / /) -> FALSE
    (5) if (&User-Name =~ /@[^@]*@/ ) {
    (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (5) if (&User-Name =~ /\.\./ ) {
    (5) if (&User-Name =~ /\.\./ ) -> FALSE
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (5) if (&User-Name =~ /\.$/) {
    (5) if (&User-Name =~ /\.$/) -> FALSE
    (5) if (&User-Name =~ /@\./) {
    (5) if (&User-Name =~ /@\./) -> FALSE
    (5) } # if (&User-Name) = notfound
    (5) } # policy filter_username = notfound
    (5) suffix: Checking for suffix after “@”
    (5) suffix: Looking up realm “iissgarrone.edu.it” for User-Name = “[email protected]
    (5) suffix: Found realm “iissgarrone.edu.it”
    (5) suffix: Adding Stripped-User-Name = “antoniocangiano”
    (5) suffix: Adding Realm = “iissgarrone.edu.it”
    (5) suffix: Authentication realm is LOCAL
    (5) [suffix] = ok
    (5) update control {
    (5) &Proxy-To-Realm := LOCAL
    (5) } # update control = noop
    (5) eap: Peer sent EAP Response (code 2) ID 1 length 14
    (5) eap: No EAP Start, assuming it’s an on-going EAP conversation
    (5) [eap] = updated
    rlm_ldap (ldap): Reserved connection (0)
    (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
    (5) ldap: –> (uid=antoniocangiano)
    (5) ldap: Performing search in “ou=Users,dc=iissgarrone,dc=edu,dc=it” with filter “(uid=antoniocangiano)”, scope “sub”
    (5) ldap: Waiting for search result…
    (5) ldap: User object found at DN “uid=antoniocangiano,ou=Users,dc=iissgarrone,dc=edu,dc=it”
    (5) ldap: Processing user attributes
    (5) ldap: WARNING: No “known good” password added. Ensure the admin user has permission to read the password attribute
    (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
    rlm_ldap (ldap): Released connection (0)
    Need more connections to reach 10 spares
    rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
    rlm_ldap (ldap): Waiting for bind result…
    ber_get_next failed, errno=11.
    rlm_ldap (ldap): Bind successful
    (5) [ldap] = ok
    (5) [expiration] = noop
    (5) [logintime] = noop
    (5) [pap] = noop
    (5) if (User-Password) {
    (5) if (User-Password) -> FALSE
    (5) } # authorize = updated
    (5) Found Auth-Type = eap
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) authenticate {
    (5) eap: Expiring EAP session with state 0x787ebb25787fbd70
    (5) eap: Finished EAP session with state 0x787ebb25787fbd70
    (5) eap: Previous EAP request found for state 0x787ebb25787fbd70, released from the list
    (5) eap: Peer sent packet with method EAP GTC (6)
    (5) eap: Calling submodule eap_gtc to process data
    (5) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) eap_gtc: Auth-Type PAP {
    rlm_ldap (ldap): Reserved connection (1)
    (5) ldap: Login attempt by “antoniocangiano”
    (5) ldap: Using user DN from request “uid=antoniocangiano,ou=Users,dc=iissgarrone,dc=edu,dc=it”
    (5) ldap: Waiting for bind result…
    (5) ldap: ERROR: Bind credentials incorrect: Invalid credentials
    (5) ldap: ERROR: Server said: Incorrect password.
    rlm_ldap (ldap): Released connection (1)
    Need more connections to reach 10 spares
    rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
    rlm_ldap (ldap): Waiting for bind result…
    ber_get_next failed, errno=11.
    rlm_ldap (ldap): Bind successful
    (5) eap_gtc: [ldap] = reject
    (5) eap_gtc: } # Auth-Type PAP = reject
    (5) eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 1 length 4
    (5) eap: Failed in EAP select
    (5) [eap] = invalid
    (5) } # authenticate = invalid
    (5) Failed to authenticate the user
    (5) Using Post-Auth-Type Reject
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) Post-Auth-Type REJECT {
    (5) attr_filter.access_reject: EXPAND %{User-Name}
    (5) attr_filter.access_reject: –> [email protected]
    (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (5) [attr_filter.access_reject] = updated
    (5) update outer.session-state {
    (5) &Module-Failure-Message := &request:Module-Failure-Message -> ‘ldap: Bind credentials incorrect: Invalid credentials’
    (5) } # update outer.session-state = noop
    (5) } # Post-Auth-Type REJECT = updated
    (5) } # server inner-tunnel
    (5) Virtual server sending reply
    (5) EAP-Message = 0x04010004
    (5) Message-Authenticator = 0x00000000000000000000000000000000
    (5) eap_ttls: Got tunneled Access-Reject
    (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 120 length 4
    (5) eap: Failed in EAP select
    (5) [eap] = invalid
    (5) } # authenticate = invalid
    (5) Failed to authenticate the user
    (5) Using Post-Auth-Type Reject
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5) Post-Auth-Type REJECT {
    (5) attr_filter.access_reject: EXPAND %{User-Name}
    (5) attr_filter.access_reject: –> [email protected]
    (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (5) [attr_filter.access_reject] = updated
    (5) [eap] = noop
    (5) policy remove_reply_message_if_eap {
    (5) if (&reply:EAP-Message && &reply:Reply-Message) {
    (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
    (5) else {
    (5) [noop] = noop
    (5) } # else = noop
    (5) } # policy remove_reply_message_if_eap = noop
    (5) } # Post-Auth-Type REJECT = updated
    (5) Delaying response for 1.000000 seconds
    Waking up in 0.9 seconds.
    (5) (5) Discarding duplicate request from client test port 59681 – ID: 20 due to delayed response
    Waking up in 0.7 seconds.
    (5) Sending delayed response
    (5) Sent Access-Reject Id 20 from 192.168.1.254:1812 to 192.168.1.89:59681 length 44
    (5) EAP-Message = 0x04780004
    (5) Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 1.0 seconds.
    (0) Cleaning up request packet ID 15 with timestamp +5 due to cleanup_delay was reached
    (1) Cleaning up request packet ID 16 with timestamp +5 due to cleanup_delay was reached
    (2) Cleaning up request packet ID 17 with timestamp +5 due to cleanup_delay was reached
    (3) Cleaning up request packet ID 18 with timestamp +5 due to cleanup_delay was reached
    (4) Cleaning up request packet ID 19 with timestamp +5 due to cleanup_delay was reached
    Waking up in 2.8 seconds.
    (5) Cleaning up request packet ID 20 with timestamp +5 due to cleanup_delay was reached
    Ready to process requests

    Can you help me

  25. Tony

    Thanks for the instruction. I followed the steps you provided including the setting up of the Unifi Controller but am having a connection issue. could not connect using my user name and password.
    on debugging with freeradius -X, the output is below:
    Ignoring request to auth address * port 1812 bound to server default from unknown client 154.68.248.114 port 33637 proto udp.
    Please what could have gone wrong?

    1. Titus

      You need to add the AP IP address to your client.conf file.

  26. Shou

    Hello, I managed to use this tutorial successfully with Unifi Cloudkey. Sadly, I have one constraint: no certificate installation is wanted on the local device. Is there a way to make it work without this certificate part (yeah even I , when I write this, I obviously guess it’s a no). Or is there a way to use a public certificate that the machine could grab online ? Or any other suggestion…. Thx a lot

    1. You’re referring to “Generating Certificates for Windows Clients” section? Yes it might be possible to use public certificates, but I haven’t tried that.

      1. Shou

        Hello, I’m referring to the whole “Installing Certificates on Client Machines” , in the situation i’m facing, it’s not corporate machines that are gonna log in , so there can be no “pre-deployment” with a gpo or something and we can’t ask the users to do that (lambda users). that’s why I was wondering if a public certificate (ex: wildcard certificate generated with Godaddy) would allow us to skip such local operations. and Thanks again for this great tutorial. I can attest it works nice. The problem I face is just a “bonus” but otherwise it works.

  27. Shou

    oh well, just to share bit more of knowledge, this aint possible to use any public certs for freeradius… https://kiwix.ounapuu.ee/serverfault.com_en_all_2019-02/A/question/692850.html

  28. David

    Hi Nasir, great job! Thank you very much for this.
    I’ve one more question about dynamic vlan assignment: in our school we use 2 different VLANs, one for teachers and one for students.
    On Google Workspace side we also have 2 different user groups. Is it possible, and how, having FreeRADIUS assigns dynamically the right VLAN id to an authenticated user (teacher or student)? Thank you!

    1. Yeah must be possible, but I don’t have the configurations for it at the moment

    2. Hello all,
      first of all thanks for this great post.
      I am also interested in assigning dinamic vlans based on de DN as I actually do with local ldap.
      I’ve got a post-auth section where I put some clauses like:
      post-auth {

      if (Ldap-Group == “teachers”) {
      update reply {
      Aruba-User-Vlan = “6”,
      Aruba-User-Role = “teachers”
      &reply: += &session-state:
      }
      }

      I haven’t implemented yet this solution but would be great if it worked in a similar way.

      Have any of you tried something similar?

      1. Yes I have implemented dynamic VLAN assignment along with Google Workspace integration. In face I plan to write a blog post on that soon. Stay tuned for that!

  29. Alberto

    Hello Nasir, great job! and thank very much for your guide, its really fine.
    I have a question, Its possible use multiple base_dn with the same ldap server?

    Actually our server work fine (Freeradius + Google Ldap) but we have this problem, only we can validate one base_dn.

    Regards.

    1. I’m not sure about it.

  30. Duncan

    Hi Nasir,
    Am getting this error Error, unable to get local issuer certificate .
    Kindly help

  31. StarNY

    Thanks a lot for for eap and proxy setting, that helped me to setup google ldap authorization for radius.

  32. Henning Kessler

    Thank you for this wonderful tutorial. It worked for me several times. But now out of nowhere I am having issues with the same setup.
    I am using two Raspberry PIs as Radius Server (freeradius version 7.0.21 or 7.2.1) an Unifi AC HD AccessPoints. My clients are macOS or iOS devices. LDAP Bind to Google works flawlessly and I see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:

    (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95
    (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
    (9) eap: Failed in handler

    Any idea what is happening here?

    1. No, I don’t recall having seen this before.

      1. Henning Kessler

        Funny detail. I tried exactly the same configuration of FreeRADIUS with a TP-Link EAP650 and the Omada Controller and it worked flawlessly… Strange.

  33. Michael Mallo

    Hi Nasir,

    I am trying to configure authentication for my Ruijie wireless system, using FreeRadius and Google LDAP. I have followed the steps from your article, however the authentication is still not working. After checking the Google LDAP logs with Google support, they asked me to re-check the FreeRadius. I am trying to run “radiusd -X” command in order to debug the issue, however i am getting the “command not found” result. Do you have any idea how i can solve it? I am running FreeRadius on Debian 10.

    Regards

  34. Jonathan Figueroa

    Hello my friend.
    What a great job ! I have been able to implement this authentication service in my corporate network, it has not given me problems in windows or ubuntu with the generated certificates.

    When I make the connectivity through android in most phones allows me to connect normally, because I can skip the option of “CA Certificate” by selecting the option not to validate.
    However on INFINIX phones, it is impossible to ignore the “CA certificate” option.
    I have tried to install the certificate that is generated for windows, but I am forced to ask for a domain.

    I enter the domain that it configures in the file: nano /etc/freeradius/3.0/mods-enabled/ldap

    but it gives me an error and I can’t connect the phone to the wifi network.

    do you have any idea about this ?

    Greetings from Ecuador.

    1. Thanks for the nice comment. Sorry I have no idea about it, I haven’t tried it on an Infinix phone yet.

    2. Leonel Bustos Collipal

      Hola Jonathan, me alegro mucho que puedas implementar este servicio a tu red y saber que no tienes problemas con los sistemas operativos que mencionaste. Por mi parte me encuentro con el problema de que solo me puedo acceder desde el iPhone ya que me permite “confiar” en un certificado que no es seguro y así poder conectarme a la red. Pero no así , ocurre con los de sistema operativo windows y Android, y en el caso de windows no me sirve instalar un certificado en el equipo cliente, y en el caso de Android me permite acceder a la red pero colocándolo en modo de autenticación “GTC” . Cómo pudiste solucionar esos problemas ?? con la finalidad de que los clientes windows y Linux no soliciten /o requieran de certificado y en Android pueda acceder solamente eligiendo la opción de “no validar CA” ??? Te agradecería mucho tu respuesta , saludos.

      1. Jonathan Figueroa

        Hola Leonel, te comento que en mi caso lo he estado trabajando con certificados para los dispositivos de ubuntu y windows ya que me permite controlar el acceso a mi red y saber que dispositivos los tengo conectados y autorizados. Sin embargo el problema lo tengo con teléfonos que me exigen un certificado y dominio, aunque en la configuración se puso un dominio no me genera la conectividad e intentado instalar el certificado de windows en mi celular, pero no genera una respuesta. La única opción de conectar a celulares android que no me exigían un certificado y dominio es ignorando de validar CA, pero actualmente teléfonos como INFINIX existen modelos en los que no me permite ignorar esta opción y me genera problemas.

  35. Arild

    Hi
    Great guide! I got everything up and running.

    However, iPhones are complaining about weak security. How much different would this guide be if you used tls instead of ttls?

    1. I haven’t tried TLS so can’t really comment on that.

  36. Hello. Nasir Hafiz!
    Good Guide!!
    Question:
    If I use Azure AD(LEPS) instead of GS Suite, will this work?
    Azure AD (LDAPS)+FReeradius+Unifi controller
    Thank you in advance!

  37. Jose Oliva

    Hello i need help for this problem
    root@D10FR:/etc/freeradius/3.0/certs# journalctl -xe
    — A start job for unit freeradius.service has begun execution.

    — The job identifier is 3973074.
    Dec 11 09:04:13 D10FR freeradius[15072]: FreeRADIUS Version 3.0.17
    Dec 11 09:04:13 D10FR freeradius[15072]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
    Dec 11 09:04:13 D10FR freeradius[15072]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
    Dec 11 09:04:13 D10FR freeradius[15072]: PARTICULAR PURPOSE
    Dec 11 09:04:13 D10FR freeradius[15072]: You may redistribute copies of FreeRADIUS under the terms of the
    Dec 11 09:04:13 D10FR freeradius[15072]: GNU General Public License
    Dec 11 09:04:13 D10FR freeradius[15072]: For more information about these matters, see the file named COPYRIGHT
    Dec 11 09:04:13 D10FR freeradius[15072]: Starting – reading configuration files …
    Dec 11 09:04:13 D10FR freeradius[15072]: Debugger not attached
    Dec 11 09:04:13 D10FR freeradius[15072]: Creating attribute Unix-Group
    Dec 11 09:04:13 D10FR freeradius[15072]: Creating attribute LDAP-Group
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_mschap (mschap): using internal authentication
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_ldap: libldap vendor: OpenLDAP, version: 20447
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_ldap (ldap): Initialising connection pool
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_detail (auth_log): ‘User-Password’ suppressed, will not appear in detail output
    Dec 11 09:04:13 D10FR freeradius[15072]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item “FreeRADIUS-Response-Delay”
    Dec 11 09:04:13 D10FR freeradius[15072]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item “FreeRADIUS-Response-Delay-U
    Dec 11 09:04:13 D10FR freeradius[15072]: tls: Using cached TLS configuration from previous invocation
    Dec 11 09:04:13 D10FR freeradius[15072]: tls: Using cached TLS configuration from previous invocation
    Dec 11 09:04:13 D10FR freeradius[15072]: Ignoring “sql” (see raddb/mods-available/README.rst)
    Dec 11 09:04:13 D10FR freeradius[15072]: # Skipping contents of ‘if’ as it is always ‘false’ — /etc/freeradius/3.0/sites-enabled/inner-tunnel
    Dec 11 09:04:13 D10FR freeradius[15072]: radiusd: #### Skipping IP addresses and Ports ####
    Dec 11 09:04:13 D10FR freeradius[15072]: Configuration appears to be OK
    Dec 11 09:04:13 D10FR freeradius[15072]: rlm_ldap (ldap): Removing connection pool
    Dec 11 09:04:14 D10FR freeradius[15074]: ber_get_next failed.
    Dec 11 09:04:14 D10FR systemd[1]: freeradius.service: Control process exited, code=exited, status=1/FAILURE
    — Subject: Unit process exited
    — Defined-By: systemd
    — Support: https://www.debian.org/support

    — An ExecStart= process belonging to unit freeradius.service has exited.

    — The process’ exit code is ‘exited’ and its exit status is 1.
    Dec 11 09:04:14 D10FR systemd[1]: freeradius.service: Failed with result ‘exit-code’.
    — Subject: Unit failed
    — Defined-By: systemd
    — Support: https://www.debian.org/support

    — The unit freeradius.service has entered the ‘failed’ state with result ‘exit-code’.
    Dec 11 09:04:14 D10FR systemd[1]: Failed to start FreeRADIUS multi-protocol policy server.
    — Subject: A start job for unit freeradius.service has failed
    — Defined-By: systemd
    — Support: https://www.debian.org/support

    — A start job for unit freeradius.service has finished with a failure.

    — The job identifier is 3973074 and the job result is failed

  38. Ronca71

    I’ve updated freeradius to version 3.0.26 and set tls version in /etc/freeradius/mods-enabled/eap as follow:

    tls_min_version = “1.2”
    tls_max_version = “1.3”

    Now I can connect the Windows clients (even Win11 with 22H2 update) without the necessity to manually import the CA. (Force the “forget wifi” on the client and reconnect).

    1. Wow great, thanks for sharing

    2. masgee

      Hi Ronca. is it work on windows 11 or 10 ? I’m stuck on windows client. radius accept but on client can’t connect

  39. Hi Nasir,
    got stuck when starting freeradius. The last lines of freeradius -X tells:
    rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
    rlm_ldap (ldap): Waiting for bind result…
    ber_get_next failed, errno=11.
    rlm_ldap (ldap): Bind was not permitted: Server was unwilling to perform
    rlm_ldap (ldap): Opening connection failed (0)
    rlm_ldap (ldap): Removing connection pool
    /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module “ldap”

  40. Joe

    Hi Nasir,
    I have followed this guide several times but I always seem to run into the same error:

    Failed binding to auth address * port 1812 bound to server default: Address already in use
    /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

    If I do:
    lsof -i :1812
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    freeradiu 607 freerad 13u IPv4 11717 0t0 UDP *:radius
    freeradiu 607 freerad 15u IPv6 11719 0t0 UDP *:radius

    but if I stop the service, there is nothing else using that port. I’ve restarted the service and I get that error every time.

    Do you know why this may be the case?
    Thanks
    Joe

  41. Jesse Nesper

    Has anyone solved for chromebooks?
    I’m still getting EAP reject messages from Freeradius.
    I can post the logs if that would be helpful, but I’m getting “username/password incorrect or EAP-auth failed” from the chromebook.
    EAP-TTLS
    GTC

Leave a Reply to Cesar Cancel reply

Your email address will not be published. Required fields are marked *