FreeRADIUS with Google G Suite/Workspace Secure LDAP for WPA2 Enterprise WiFi

This post documents the process of integrating FreeRADIUS with Google G Suite (now Workspace) using Secure LDAP. FreeRADIUS will be used to authenticate Ubiquiti Unifi WPA2 Enterprise WiFi users. The configurations presented here are taken from this wonderful repository. While the repo uses Docker, we will be implementing these settings in FreeRADIUS directly. These settings were tested on Debian 10.

First, follow steps 1-3 given in Google’s support article and also generate access credentials. At the end of these steps, you’ll have a certificate and key along with your access credentials.

Then, install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:

/etc/freeradius/3.0/certs/

Rename those files to:

ldap-client.crt
ldap-client.key

Next, use a text editor like nano to edit /etc/freeradius/3.0/clients.conf:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace 192.168.1.0/24 with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          = 192.168.1.0/24
       secret          = testing123
}

Use Ctrl + X to save and exit.

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In authorize section after pap add this:

        if (User-Password) {
            update control {
                   Auth-Type := ldap
            }
        }

In authenticate section:

authenticate {
        Auth-Type PAP {
                ldap
        }

Uncomment ldap:

#       Auth-Type LDAP {
                ldap
#       }

Save and exit.

The same changes need to be done in /etc/freeradius/3.0/sites-enabled/inner-tunnel to edit the inner-tunnel virtual server.

After that execute the following commands as root to enable ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

server = 'ldaps://ldap.google.com'
port = 636

Enter your access credentials here:

identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In tls section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

Save and exit.

Next, set up the eap module:

nano /etc/freeradius/3.0/mods-enabled/eap

In eap section:

default_eap_type = ttls

In ttls section:

default_eap_type = gtc

Save and exit. Finally, set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm example.com {

}

Save and exit.

Use the following command to restart FreeRADIUS service for new settings to take effect:

systemctl restart freeradius.service

FreeRADIUS settings are now complete. On the Unifi Controller, go to Settings -> Wireless Networks and either create a new wireless network or edit an existing network. In Security select WPA Enterprise:

It will require a RADIUS Profile to be specified. Click on “Create new RADIUS profile”. Enter a name for the profile and specify the IP address of your RADIUS server and its shared secret (created earlier).

Save the changes made to RADIUS profile and Wireless network.

To setup a mobile client to connect to this network enter your G-Suite Username and password like this:

Note: Users are free to enter only their User ID or complete email address in <UserID>@example.com format. It should work either way.

In case of an error, make sure the EAP method is TTLS. For Phase 2 or inner tunnel use either GTC or None. Some devices will auto-detect these settings but on some devices you might need to select them manually.

Generating Certificates for Windows Clients

For authenticating Windows clients we need to generate CA and server certificates on FreeRADIUS and install them on client machines. FreeRADIUS provides helpful scripts for generating certificates.

To generate a self-signed CA certificate (which is what is recommended for RADIUS deployments), open the CA configuration file:

nano /etc/freeradius/3.0/certs/ca.cnf

In CA_default section increase the number of days so that the certificate will be valid for a long time (10 years in this case):

default_days            = 3650

In req section change the input_password and output_password from their default values:

input_password          = tj367tHXVK
output_password         = tj367tHXVK

In certificate_authority section enter your organization’s information:

countryName             = US
stateOrProvinceName     = FL
localityName            = Miami
organizationName        = NPO Systems
emailAddress            = [email protected]
commonName              = "NPO Certificate Authority"

Save and exit.

Run the following commands to generate CA certificates:

make ca.pem
make ca.der

Next generate server certificate by following the same procedure:

nano /etc/freeradius/3.0/certs/server.cnf

Change default_days to a large value, input_password and output_password from their default values and enter your organization’s information in server section. Make sure the commonName entered here is different from the one entered in ca.cnf:

default_days            = 3650

input_password          = tj367tHXVK
output_password         = tj367tHXVK

[server]
countryName             = US
stateOrProvinceName     = FL
localityName            = Miami
organizationName        = NPO Systems
emailAddress            = [email protected]
commonName              = "NPO Systems Server Certificate"

Save and exit.

Generate server certificate by running this command:

make server.pem

Ensure generated files have the right ownership:

chown freerad:freerad /etc/freeradius/3.0/certs/*

Add the paths of newly generated certificates in eap configuration file:

nano /etc/freeradius/3.0/mods-enabled/eap

In tls-config tls-common section add the following values:

private_key_password = tj367tHXVK
private_key_file = /etc/freeradius/3.0/certs/server.pem
certificate_file = /etc/freeradius/3.0/certs/server.pem
ca_file = /etc/freeradius/3.0/certs/ca.pem

Save and exit.

Restart FreeRADIUS service:

systemctl restart freeradius

Installing Certificates on Client Machines

Windows

Download ca.pem and ca.der certificates from /etc/freeradius/3.0/certs/ and distribute to your clients. On a Windows client, ca.der certificate can be installed by double-clicking on it and following the installation wizard:

Place the certificate in Trusted Root Certification Authorities store:

After completing the wizard, accept the security warning:

Connect to the WiFi by entering your username and password. If it shows you the certificate information click on Connect to continue:

Ubuntu

The CA certificate in pem format needs to be converted to crt format. It can be done by executing this command:

openssl x509 -outform der -in ca.pem -out ca.crt

Download ca.crt file and put it in /usr/local/share/ca-certificates/ directory on the client machine. Then, install the certificate:

sudo update-ca-certificates

Connect to WiFi by selecting Authentication Tunneled TLS, Inner authentication GTC and entering your username and password:

Troubleshooting

In case of any issues troubleshoot FreeRADIUS by first stopping its service:

systemctl stop freeradius.service

After that start it in debug mode:

freeradius -X

Follow the debug output to troubleshoot further.

References

Unifi FreeRADIUS on Docker with Google Secure LDAP

FreeRADIUS Production SSL Certificates

68 Comments

  1. Thomas says:

    Hello Nasir,
    thanks for your post, that really fills a gap. Up to now I just found solutions with subject to charge.
    Do you think/know, if your solution also works with the FreeRADIUS-Server in pfsense (https://www.pfsense.org/)? This might open a variety of further options, besides WPA Enterprise, for pppoe, pptp and further more.
    Warm regards,
    Thomas

    1. Hi Thomas,

      Thanks for your feedback. I did try this on pfSense as a matter of fact. I was able to get it working successfully by getting into the command line and modifying FreeRADIUS files manually, but the problem I faced was that all the modifications that I did were lost when the pfSense was rebooted.

      1. Thomas says:

        Hi Nasir,

        have you tested the following way?
        https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html
        It seems they have updated the docs on Sep. 17.

        1. Nice, this looks interesting. No I didn’t test it. Thanks for letting me know!

      2. salvolb says:

        I am able to configure Google LDAP and Freeradius but the changes are lost when pfSense is restarted.
        Has anyone found the solution?

        1. Only changes stored in pfSense’s XML file are kept, so you need to ensure that the XML is updated.

  2. Matthew says:

    Hi Nasir,
    thank you very much for your post. Have you had trouble connecting Windows client devices to the WiFi network? What settings did you use on the client side?
    Thanks

    1. Hello,

      No not at all. I tested it with Windows 10, didn’t need any special settings. Just selected WiFi, entered username and password, and accepted the certificate warning. It worked seamlessly!

      1. Matthew says:

        How strange. In my case there is no way I can authenticate a Windows client. There are no problems with Android.

    2. Chris C says:

      Matthew-
      I am seeing the same issue with Windows 10 client PCs.
      FreeRadius fails to authenticate because of the client using MS-CHAPv2.
      WARNING: No Cleartext-Password configured. Cannot create NT-Password
      Creating challenge hash with username: ccarr
      Client is using MS-CHAPv2
      ERROR: FAILED: No NT-Password. Cannot perform authentication
      ERROR: MS-CHAP2-Response is incorrect

      NOTE I am using HP Aruba access points

      1. Cesar says:

        I have the same issue with WIN 10 users

        1. You need to setup CA certificates as given in FreeRADIUS documentation and import them into the Windows machines. I did try it and it works fine.

        2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  3. Gevanni says:

    Hi Nassir,

    I have everything configured but when connecting a client with macOS it does not allow me, do you know if I need a profile or certificate?

    Thank you.

    1. Hello,

      I tested it with an iPad and didn’t face any issues on that. Didn’t test it with a MacOS client.

  4. Geovanni says:

    Hi, Nassir

    What version unifi controller use?
    I have 6.0.43.0 version

    1. I think it was 6.0.36 perhaps.

  5. Christian Bednarz says:

    Dear Nasir. Thanks for your guide. However, would this also work for VPN via Ubiqi and Google LDAP authentication? Best regards.

    1. I think it should.

      1. Sebastian says:

        Nice guide, it works just fine for me. Where you able to make it work for the VPN connection? I did run into an error, not sure if its worth investing time here.

        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
        (0) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
        (0) mschap: Creating challenge hash with username: …
        (0) mschap: Client is using MS-CHAPv2
        (0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
        (0) mschap: ERROR: MS-CHAP2-Response is incorrect

  6. Hello Nasir,

    you saved my day. That guide was incredible and easy to read. Thanks a lot for your time. Really appreciate your work. Could configure all in two hours for my corporate network and will turn off old LDAP custom setup next week.

    Greetings,. Thomas

    1. Thanks Thomas,

      Glad to help!

  7. Matt Richey says:

    Hello. I keep getting stuck when trying to restart the service. When I try to run that command, it returns with: Job for freeradius.service failed because the control process exited with error code. I’m not great in terminal, but I think I can get by. Any ideas as to what might be causing this?

    1. Please use freeradius -X to troubleshoot

    2. Chris C says:

      Hi Matt.
      I started getting the same issue – attempting to start FreeRadius using SystemD fails with an error but running the process manually works fine # /sbin/radiusd -X -d /etc/raddb

  8. Syahwanius says:

    Hello Nasir. i already follows all the step and not getting error while debugging using freeradius -X, but when user connect i got some errors on /var/log/freeradius/radius.log :

    Error: (5) Ignoring duplicate packet from client LDAP port 33030 – ID: 6 due to unfinished request in component authenticate module eap_ttls
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21
    ERROR: (7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x2c493b1a284f2e21

    and the user can’t connect to the wifi, any idea?

  9. Nick says:

    Hey Nasir,
    I just want to say thank you for this article. I’ve revisited this a few times trying to get this to work and spent entirely too many hours on it over the last few years without any luck. I was able to get this up and running with your directions quickly and easily.

  10. Marion Bates says:

    Hi Nasir,

    I am trying to adapt these instructions to Centos 7. When I start radiusd, I see these messages:

    May 03 11:08:21 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..
    May 03 11:08:22 localhost radiusd[29051]: TLS: error: the certificate ‘/etc/raddb/certs/ldap-client.crt’ could not be found in the database – error -8187:security library: invalid arguments..
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate ‘/etc/raddb/certs/ldap-client.crt’ successfully loaded from PEM file.
    May 03 11:08:22 localhost radiusd[29051]: TLS: no unlocked certificate for certificate ‘ST=California,C=US,OU=GSuite,CN=LDAP Client,L=Mountain View,O=Google Inc.’.
    May 03 11:08:22 localhost radiusd[29051]: TLS: certificate [CN=GTS CA 1O1,O=Google Trust Services,C=US] is not valid – error -8179:Peer’s Certificate issuer is not recognized..

    Do you know what this means or how to fix? Thank you very much! — MB

  11. Glenn says:

    IOS, MacOS and Android clients connect fine. Windows and ChromeOS are having difficulty connecting. Here is the output of freeradius -X when a Windows client attempts to connect:
    (0) Received Access-Request Id 35 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (0) User-Name = “[email protected]
    (0) NAS-IP-Address = 172.16.1.25
    (0) NAS-Identifier = “029fc26eac66”
    (0) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (0) NAS-Port-Type = Wireless-802.11
    (0) Service-Type = Framed-User
    (0) Calling-Station-Id = “98-AF-65-08-37-02”
    (0) Connect-Info = “CONNECT 0Mbps 802.11b”
    (0) Acct-Session-Id = “37C8289B8D2F7CA7”
    (0) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (0) WLAN-Pairwise-Cipher = 1027076
    (0) WLAN-Group-Cipher = 1027076
    (0) WLAN-AKM-Suite = 1027073
    (0) WLAN-Group-Mgmt-Cipher = 1027078
    (0) Framed-MTU = 1400
    (0) EAP-Message = 0x02cb001801676c61676d616e40686161737063732e6e6574
    (0) Message-Authenticator = 0x4764f2541db94b493f83688530a2ecb4
    (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (0) authorize {
    (0) policy filter_username {
    (0) if (&User-Name) {
    (0) if (&User-Name) -> TRUE
    (0) if (&User-Name) {
    (0) if (&User-Name =~ / /) {
    (0) if (&User-Name =~ / /) -> FALSE
    (0) if (&User-Name =~ /@[^@]*@/ ) {
    (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (0) if (&User-Name =~ /\.\./ ) {
    (0) if (&User-Name =~ /\.\./ ) -> FALSE
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (0) if (&User-Name =~ /\.$/) {
    (0) if (&User-Name =~ /\.$/) -> FALSE
    (0) if (&User-Name =~ /@\./) {
    (0) if (&User-Name =~ /@\./) -> FALSE
    (0) } # if (&User-Name) = notfound
    (0) } # policy filter_username = notfound
    (0) [preprocess] = ok
    (0) [chap] = noop
    (0) [mschap] = noop
    (0) [digest] = noop
    (0) suffix: Checking for suffix after “@”
    (0) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (0) suffix: Found realm “domain.com”
    (0) suffix: Adding Stripped-User-Name = “user”
    (0) suffix: Adding Realm = “domain.com”
    (0) suffix: Authentication realm is LOCAL
    (0) [suffix] = ok
    (0) eap: Peer sent EAP Response (code 2) ID 203 length 24
    (0) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
    (0) [eap] = ok
    (0) } # authorize = ok
    (0) Found Auth-Type = eap
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) authenticate {
    (0) eap: Peer sent packet with method EAP Identity (1)
    (0) eap: Calling submodule eap_ttls to process data
    (0) eap_ttls: Initiating new EAP-TLS session
    (0) eap_ttls: [eaptls start] = request
    (0) eap: Sending EAP Request (code 1) ID 204 length 6
    (0) eap: EAP session adding &reply:State = 0x3ad5cc8d3a19d919
    (0) [eap] = handled
    (0) } # authenticate = handled
    (0) Using Post-Auth-Type Challenge
    (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (0) Challenge { … } # empty sub-section is ignored
    (0) Sent Access-Challenge Id 35 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (0) EAP-Message = 0x01cc00061520
    (0) Message-Authenticator = 0x00000000000000000000000000000000
    (0) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (0) Finished request
    Waking up in 4.9 seconds.
    (1) Received Access-Request Id 36 from 172.16.1.25:56448 to 172.16.1.14:1812 length 414
    (1) User-Name = “[email protected]
    (1) NAS-IP-Address = 172.16.1.25
    (1) NAS-Identifier = “029fc26eac66”
    (1) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (1) NAS-Port-Type = Wireless-802.11
    (1) Service-Type = Framed-User
    (1) Calling-Station-Id = “98-AF-65-08-37-02”
    (1) Connect-Info = “CONNECT 0Mbps 802.11b”
    (1) Acct-Session-Id = “37C8289B8D2F7CA7”
    (1) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (1) WLAN-Pairwise-Cipher = 1027076
    (1) WLAN-Group-Cipher = 1027076
    (1) WLAN-AKM-Suite = 1027073
    (1) WLAN-Group-Mgmt-Cipher = 1027078
    (1) Framed-MTU = 1400
    (1) EAP-Message = 0x02cc00a3158000000099160303009401000090030360f5daec9dc706e59810cf61b9f713636d14b8764b444df9cc63ff348150673c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b000201
    (1) State = 0x3ad5cc8d3a19d919bf2f4b6dd6a06ef4
    (1) Message-Authenticator = 0x5cba8405dd0258e2367d3b93063ce239
    (1) session-state: No cached attributes
    (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (1) authorize {
    (1) policy filter_username {
    (1) if (&User-Name) {
    (1) if (&User-Name) -> TRUE
    (1) if (&User-Name) {
    (1) if (&User-Name =~ / /) {
    (1) if (&User-Name =~ / /) -> FALSE
    (1) if (&User-Name =~ /@[^@]*@/ ) {
    (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (1) if (&User-Name =~ /\.\./ ) {
    (1) if (&User-Name =~ /\.\./ ) -> FALSE
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (1) if (&User-Name =~ /\.$/) {
    (1) if (&User-Name =~ /\.$/) -> FALSE
    (1) if (&User-Name =~ /@\./) {
    (1) if (&User-Name =~ /@\./) -> FALSE
    (1) } # if (&User-Name) = notfound
    (1) } # policy filter_username = notfound
    (1) [preprocess] = ok
    (1) [chap] = noop
    (1) [mschap] = noop
    (1) [digest] = noop
    (1) suffix: Checking for suffix after “@”
    (1) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (1) suffix: Found realm “domain.com”
    (1) suffix: Adding Stripped-User-Name = “user”
    (1) suffix: Adding Realm = “domain.com”
    (1) suffix: Authentication realm is LOCAL
    (1) [suffix] = ok
    (1) eap: Peer sent EAP Response (code 2) ID 204 length 163
    (1) eap: Continuing tunnel setup
    (1) [eap] = ok
    (1) } # authorize = ok
    (1) Found Auth-Type = eap
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) authenticate {
    (1) eap: Expiring EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Finished EAP session with state 0x3ad5cc8d3a19d919
    (1) eap: Previous EAP request found for state 0x3ad5cc8d3a19d919, released from the list
    (1) eap: Peer sent packet with method EAP TTLS (21)
    (1) eap: Calling submodule eap_ttls to process data
    (1) eap_ttls: Authenticate
    (1) eap_ttls: Continuing EAP-TLS
    (1) eap_ttls: Peer indicated complete TLS record size will be 153 bytes
    (1) eap_ttls: Got complete TLS record (153 bytes)
    (1) eap_ttls: [eaptls verify] = length included
    (1) eap_ttls: (other): before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: TLS_accept: before SSL initialization
    (1) eap_ttls: <<>> send TLS 1.2 [length 003d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
    (1) eap_ttls: >>> send TLS 1.2 [length 031d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
    (1) eap_ttls: >>> send TLS 1.2 [length 014d]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
    (1) eap_ttls: >>> send TLS 1.2 [length 0004]
    (1) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
    (1) eap_ttls: In SSL Handshake Phase
    (1) eap_ttls: In SSL Accept mode
    (1) eap_ttls: [eaptls process] = handled
    (1) eap: Sending EAP Request (code 1) ID 205 length 1004
    (1) eap: EAP session adding &reply:State = 0x3ad5cc8d3b18d919
    (1) [eap] = handled
    (1) } # authenticate = handled
    (1) Using Post-Auth-Type Challenge
    (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (1) Challenge { … } # empty sub-section is ignored
    (1) Sent Access-Challenge Id 36 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (1) EAP-Message = 0x01cd03ec15c0000004bf160303003d0200003903038895826d02916cc4f4d7eebd23e8c6dfb507512051db2e88444f574e4752440100c030000011ff01000100000b00040300010200170000160303031d0b0003190003160003133082030f308201f7a00302010202140093bdec6d7accbcea599f3d61
    (1) Message-Authenticator = 0x00000000000000000000000000000000
    (1) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (1) Finished request
    Waking up in 4.9 seconds.
    (2) Received Access-Request Id 37 from 172.16.1.25:56448 to 172.16.1.14:1812 length 257
    (2) User-Name = “[email protected]
    (2) NAS-IP-Address = 172.16.1.25
    (2) NAS-Identifier = “029fc26eac66”
    (2) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (2) NAS-Port-Type = Wireless-802.11
    (2) Service-Type = Framed-User
    (2) Calling-Station-Id = “98-AF-65-08-37-02”
    (2) Connect-Info = “CONNECT 0Mbps 802.11b”
    (2) Acct-Session-Id = “37C8289B8D2F7CA7”
    (2) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (2) WLAN-Pairwise-Cipher = 1027076
    (2) WLAN-Group-Cipher = 1027076
    (2) WLAN-AKM-Suite = 1027073
    (2) WLAN-Group-Mgmt-Cipher = 1027078
    (2) Framed-MTU = 1400
    (2) EAP-Message = 0x02cd00061500
    (2) State = 0x3ad5cc8d3b18d919bf2f4b6dd6a06ef4
    (2) Message-Authenticator = 0x234375bee42a3c192ca7d6a9aba0c316
    (2) session-state: No cached attributes
    (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (2) authorize {
    (2) policy filter_username {
    (2) if (&User-Name) {
    (2) if (&User-Name) -> TRUE
    (2) if (&User-Name) {
    (2) if (&User-Name =~ / /) {
    (2) if (&User-Name =~ / /) -> FALSE
    (2) if (&User-Name =~ /@[^@]*@/ ) {
    (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (2) if (&User-Name =~ /\.\./ ) {
    (2) if (&User-Name =~ /\.\./ ) -> FALSE
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (2) if (&User-Name =~ /\.$/) {
    (2) if (&User-Name =~ /\.$/) -> FALSE
    (2) if (&User-Name =~ /@\./) {
    (2) if (&User-Name =~ /@\./) -> FALSE
    (2) } # if (&User-Name) = notfound
    (2) } # policy filter_username = notfound
    (2) [preprocess] = ok
    (2) [chap] = noop
    (2) [mschap] = noop
    (2) [digest] = noop
    (2) suffix: Checking for suffix after “@”
    (2) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (2) suffix: Found realm “domain.com”
    (2) suffix: Adding Stripped-User-Name = “user”
    (2) suffix: Adding Realm = “domain.com”
    (2) suffix: Authentication realm is LOCAL
    (2) [suffix] = ok
    (2) eap: Peer sent EAP Response (code 2) ID 205 length 6
    (2) eap: Continuing tunnel setup
    (2) [eap] = ok
    (2) } # authorize = ok
    (2) Found Auth-Type = eap
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) authenticate {
    (2) eap: Expiring EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Finished EAP session with state 0x3ad5cc8d3b18d919
    (2) eap: Previous EAP request found for state 0x3ad5cc8d3b18d919, released from the list
    (2) eap: Peer sent packet with method EAP TTLS (21)
    (2) eap: Calling submodule eap_ttls to process data
    (2) eap_ttls: Authenticate
    (2) eap_ttls: Continuing EAP-TLS
    (2) eap_ttls: Peer ACKed our handshake fragment
    (2) eap_ttls: [eaptls verify] = request
    (2) eap_ttls: [eaptls process] = handled
    (2) eap: Sending EAP Request (code 1) ID 206 length 231
    (2) eap: EAP session adding &reply:State = 0x3ad5cc8d381bd919
    (2) [eap] = handled
    (2) } # authenticate = handled
    (2) Using Post-Auth-Type Challenge
    (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (2) Challenge { … } # empty sub-section is ignored
    (2) Sent Access-Challenge Id 37 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (2) EAP-Message = 0x01ce00e71580000004bfbf424d0a0d365eae2bfc4e485a164843e5c79d3264931ae8ee1cec646bf6fc073ce0f1fb1914af8487a4bd7a4d24ceed9b63bdf84f5ebe25815289ff08e75e14c94b1c73fb0088626988121ffcf2b66737c9f421d17d4a750447e6b41d0f473dc9f097cecb57b0c550e7741a4e
    (2) Message-Authenticator = 0x00000000000000000000000000000000
    (2) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (2) Finished request
    Waking up in 4.9 seconds.
    (3) Received Access-Request Id 38 from 172.16.1.25:56448 to 172.16.1.14:1812 length 387
    (3) User-Name = “[email protected]
    (3) NAS-IP-Address = 172.16.1.25
    (3) NAS-Identifier = “029fc26eac66”
    (3) Called-Station-Id = “02-9F-C2-6E-AC-66:HAAS_Student”
    (3) NAS-Port-Type = Wireless-802.11
    (3) Service-Type = Framed-User
    (3) Calling-Station-Id = “98-AF-65-08-37-02”
    (3) Connect-Info = “CONNECT 0Mbps 802.11b”
    (3) Acct-Session-Id = “37C8289B8D2F7CA7”
    (3) Acct-Multi-Session-Id = “DC7E9029C48AF6AE”
    (3) WLAN-Pairwise-Cipher = 1027076
    (3) WLAN-Group-Cipher = 1027076
    (3) WLAN-AKM-Suite = 1027073
    (3) WLAN-Group-Mgmt-Cipher = 1027078
    (3) Framed-MTU = 1400
    (3) EAP-Message = 0x02ce008815800000007e160303004610000042410420b898065746e53f921b7a2adf25d1b9f2e8845c3a76fd67531bb999a6577ed53aa429f635dde53c290ab85afc15d8dab90c35180e3447fa9a37ea22434c8f7314030300010116030300280000000000000000c1981ae5120f9fd048d6e155c74693
    (3) State = 0x3ad5cc8d381bd919bf2f4b6dd6a06ef4
    (3) Message-Authenticator = 0x23fc4a0fa143997f21fd295f3f12c4a9
    (3) session-state: No cached attributes
    (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (3) authorize {
    (3) policy filter_username {
    (3) if (&User-Name) {
    (3) if (&User-Name) -> TRUE
    (3) if (&User-Name) {
    (3) if (&User-Name =~ / /) {
    (3) if (&User-Name =~ / /) -> FALSE
    (3) if (&User-Name =~ /@[^@]*@/ ) {
    (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (3) if (&User-Name =~ /\.\./ ) {
    (3) if (&User-Name =~ /\.\./ ) -> FALSE
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (3) if (&User-Name =~ /\.$/) {
    (3) if (&User-Name =~ /\.$/) -> FALSE
    (3) if (&User-Name =~ /@\./) {
    (3) if (&User-Name =~ /@\./) -> FALSE
    (3) } # if (&User-Name) = notfound
    (3) } # policy filter_username = notfound
    (3) [preprocess] = ok
    (3) [chap] = noop
    (3) [mschap] = noop
    (3) [digest] = noop
    (3) suffix: Checking for suffix after “@”
    (3) suffix: Looking up realm “domain.com” for User-Name = “[email protected]
    (3) suffix: Found realm “domain.com”
    (3) suffix: Adding Stripped-User-Name = “user”
    (3) suffix: Adding Realm = “domain.com”
    (3) suffix: Authentication realm is LOCAL
    (3) [suffix] = ok
    (3) eap: Peer sent EAP Response (code 2) ID 206 length 136
    (3) eap: Continuing tunnel setup
    (3) [eap] = ok
    (3) } # authorize = ok
    (3) Found Auth-Type = eap
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) authenticate {
    (3) eap: Expiring EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Finished EAP session with state 0x3ad5cc8d381bd919
    (3) eap: Previous EAP request found for state 0x3ad5cc8d381bd919, released from the list
    (3) eap: Peer sent packet with method EAP TTLS (21)
    (3) eap: Calling submodule eap_ttls to process data
    (3) eap_ttls: Authenticate
    (3) eap_ttls: Continuing EAP-TLS
    (3) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
    (3) eap_ttls: Got complete TLS record (126 bytes)
    (3) eap_ttls: [eaptls verify] = length included
    (3) eap_ttls: TLS_accept: SSLv3/TLS write server done
    (3) eap_ttls: <<< recv TLS 1.2 [length 0046]
    (3) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
    (3) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
    (3) eap_ttls: <<>> send TLS 1.2 [length 0001]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
    (3) eap_ttls: >>> send TLS 1.2 [length 0010]
    (3) eap_ttls: TLS_accept: SSLv3/TLS write finished
    (3) eap_ttls: (other): SSL negotiation finished successfully
    (3) eap_ttls: SSL Connection Established
    (3) eap_ttls: [eaptls process] = handled
    (3) eap: Sending EAP Request (code 1) ID 207 length 61
    (3) eap: EAP session adding &reply:State = 0x3ad5cc8d391ad919
    (3) [eap] = handled
    (3) } # authenticate = handled
    (3) Using Post-Auth-Type Challenge
    (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (3) Challenge { … } # empty sub-section is ignored
    (3) Sent Access-Challenge Id 38 from 172.16.1.14:1812 to 172.16.1.25:56448 length 0
    (3) EAP-Message = 0x01cf003d1580000000331403030001011603030028a84720c979cd4ada6e5d4015a41131f1cb2e44988c2070504509e7f15c19e598cff3b557f231747e
    (3) Message-Authenticator = 0x00000000000000000000000000000000
    (3) State = 0x3ad5cc8d391ad919bf2f4b6dd6a06ef4
    (3) Finished request
    Waking up in 4.9 seconds.
    (0) Cleaning up request packet ID 35 with timestamp +27
    (1) Cleaning up request packet ID 36 with timestamp +27
    (2) Cleaning up request packet ID 37 with timestamp +27
    (3) Cleaning up request packet ID 38 with timestamp +27

  12. Glenn says:

    Is there a way to restrict authentications to a particular OU in Google Workspace?

  13. Wade Gibson says:

    Thank you for this tutorial! I set up FreeRadius on an Ubunutu 20.04 LTS server and my MacOS 11.6 Big Sur, iPad, and iPhone all connect without any additional configuration needed. I have tried numerous times to get a Windows 10 laptop and a Chromebook to connect, but I can’t seem to get either one to work. The Chromebook gave a fair amount of options, as far as being able to manually select EAP-TTLS/GTC and Do Not Check Server CA Certificate, so I thought I’d be able to get it online but it always says “Authentication Certificate Rejected Locally.” I’m hopeful that someone can get a combination of settings that will work. Thanks!

    1. Yes, now Windows 10 does not work with private CA certificates like the ones in this FreeRADIUS install. Previously it used to prompt, not any more. The solution would be to use certificates from a well-known CA. I haven’t tried this yet.

  14. Vidas says:

    Great post. I have the same setup in Ruckus and might have to do it with Unifi as well, so good to know there’s somewhat of a cheat-sheet in case things go south.. My question is – is it possible to add Google’s 2FA to this? I only saw examples with OpenLDAP and AD, wonder if it’s the same with GSuite..
    thanks!

    1. I haven’t tried that.

    2. Joshua says:

      Hi Vidas, you mentioned having the same setup in Rukus so I am wondering if you have the same authentication setup (Google Secure LDAP) working with Ruckus Zone Director?

      1. It’s based on RADIUS so it should work with Ruckus and other vendors as well.

  15. Matheos says:

    Hello Nasir,
    After configuring the files, FreeRadius does not start anymore and i get the following error.
    Thanks in advance.

    The process’ exit code is ‘exited’ and its exit status is 1.
    Feb 27 22:06:46 raspberrypi systemd[1]: freeradius.service: Failed with result ‘
    — Subject: Unit failed
    — Defined-By: systemd
    — Support: https://www.debian.org/support

    — The unit freeradius.service has entered the ‘failed’ state with result ‘exit-
    Feb 27 22:06:46 raspberrypi systemd[1]: Failed to start FreeRADIUS multi-protoco
    — Subject: A start job for unit freeradius.service has failed

    1. Start it in debugging mode and use that for troubleshooting.

  16. filippo says:

    Hi Nasir,
    Everything’s working fine except users cannot authenticate with this username format:
    [email protected]
    but only with
    name.username

    What i am missing?

    1. It should work with both formats. Make sure your proxy.conf settings are correct.

  17. James says:

    I followed these instructions and am able to get all other devices to authenticate using EAP-TTLS (GTC), but I cannot for the life of me get Windows 10 to authenticate.
    Scenario: 1. I connect to the SSID
    2. Freeradius asks me to validate my credentials
    3. I am greeted with another window, “Enter Network Security Key” – to which I don’t know. Even when I use my password again, I get a “can’t connect to network” message. Any help would be greatly appreciated.

    1. Windows 10 does not work with unknown CA certificates. You can generate CA certificates using FreeRADIUS and import them in your Windows machines.

    2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  18. Michael says:

    Hello Nasir, any updates on windows 10 and freeradius? I have tested everything but no luck, we have google ldap in the freeradius, mac working great but not windows.

    1. Yes, I got it to work on Windows as well. I probably should have documented that in a separate blog post. It used private CA certificates generated using FreeRADIUS and imported on Windows.

      1. Michael says:

        That would be awesome with a document how to do it right for windows 10/11 🙂

        1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

      2. Juan Carlos says:

        Hi Nasir, Thank you so mach for documenting this particular scenario. By the way, did you have the chance to finish it, perhaps it was already posted in a separate blog post as you mentioned and I’ve missed it. Thanks again!

        1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  19. Aleks says:

    Hello Nasir.
    Any chance you could add support for ldap groups. I’ve played a lot with the configuration, but authorization based on Google LDAP groups doesn’t work for me.
    P.S
    Amy one else with the same issue ?

  20. Luis says:

    Hi Nasir, It’s a few months now and then I have been trying to make this work with Windows clients. I generated CA.DER with the freeradius script and imported to windows machines but still unable to connect – other apple and android machines no problem.

    I am now getting a :

    (75) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
    (75) mschap: Creating challenge hash with username: alumna.test
    (75) mschap: Client is using MS-CHAPv2
    (75) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
    (75) mschap: ERROR: MS-CHAP2-Response is incorrect

    1. Luis says:

      Thanks so much for you help, it is greatly appreciated.

    2. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  21. This is what I am getting when I try and connect using freeradius -X debug any help is appreciated

    Ignoring request to auth address * port 1812 bound to server default from unknown client 10.10.13.74 port 57235 proto udp

  22. Don’t know what I did but a restart fixed it. I’m able to authenticate on iPads and iphones now! TY so much Nasir

  23. I also am having windows wifi authentication problems I have tried importing the cert after making one with free radius any help would be greatly appreciated!

    1. I’ve updated the post with a section for generating and adding certificates for Windows clients!

  24. Antonio says:

    Hi, I’m having auth problem.
    My log …
    (5) Received Access-Request Id 20 from 192.168.1.89:59681 to 192.168.1.254:1812 length 353
    (5) User-Name = “[email protected]
    (5) NAS-IP-Address = 192.168.1.89
    (5) NAS-Identifier = “TP-Link:D2-32-E5-07-AA-BA”
    (5) NAS-Port-Id = “00000001”
    (5) Called-Station-Id = “D2-32-E5-07-AA-BA:test”
    (5) NAS-Port-Type = Wireless-802.11
    (5) Event-Timestamp = “Jul 17 2022 22:02:05 UTC”
    (5) Service-Type = Framed-User
    (5) Calling-Station-Id = “24-18-1D-0C-74-C3”
    (5) Connect-Info = “CONNECT 0Mbps 802.11b”
    (5) Acct-Session-Id = “d232e507aaba-607E350E2F95A0BC”
    (5) Acct-Multi-Session-Id = “D6F6EAC41CB2D2B4”
    (5) WLAN-Pairwise-Cipher = 1027076
    (5) WLAN-Group-Cipher = 1027076
    (5) WLAN-AKM-Suite = 1027073
    (5) Framed-MTU = 1400
    (5) EAP-Message = 0x0278003b15001703030030000000000000000208d0d7f1f58df68f431ed45daf3ed427ef761981ec6dda845d83d5ed5aaf82bb9891017c2a9e7a71
    (5) State = 0xc566114cc11e045b5f3fa74c07ac15e2
    (5) Message-Authenticator = 0xd68259c94fb662a335eeb6cff9cc0a25
    (5) Restoring &session-state
    (5) &session-state:Framed-MTU = 994
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.3 Handshake, ClientHello”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerHello”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, Certificate”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerKeyExchange”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, ServerHelloDone”
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.2 Handshake, ClientKeyExchange”
    (5) &session-state:TLS-Session-Information = “(TLS) recv TLS 1.2 Handshake, Finished”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 ChangeCipherSpec”
    (5) &session-state:TLS-Session-Information = “(TLS) send TLS 1.2 Handshake, Finished”
    (5) &session-state:TLS-Session-Cipher-Suite = “ECDHE-RSA-AES128-GCM-SHA256”
    (5) &session-state:TLS-Session-Version = “TLS 1.2”
    (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
    (5) authorize {
    (5) policy filter_username {
    (5) if (&User-Name) {
    (5) if (&User-Name) -> TRUE
    (5) if (&User-Name) {
    (5) if (&User-Name =~ / /) {
    (5) if (&User-Name =~ / /) -> FALSE
    (5) if (&User-Name =~ /@[^@]*@/ ) {
    (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (5) if (&User-Name =~ /\.\./ ) {
    (5) if (&User-Name =~ /\.\./ ) -> FALSE
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (5) if (&User-Name =~ /\.$/) {
    (5) if (&User-Name =~ /\.$/) -> FALSE
    (5) if (&User-Name =~ /@\./) {
    (5) if (&User-Name =~ /@\./) -> FALSE
    (5) } # if (&User-Name) = notfound
    (5) } # policy filter_username = notfound
    (5) [preprocess] = ok
    (5) [digest] = noop
    (5) suffix: Checking for suffix after “@”
    (5) suffix: Looking up realm “iissgarrone.edu.it” for User-Name = “[email protected]
    (5) suffix: Found realm “iissgarrone.edu.it”
    (5) suffix: Adding Stripped-User-Name = “antoniocangiano”
    (5) suffix: Adding Realm = “iissgarrone.edu.it”
    (5) suffix: Authentication realm is LOCAL
    (5) [suffix] = ok
    (5) eap: Peer sent EAP Response (code 2) ID 120 length 59
    (5) eap: Continuing tunnel setup
    (5) [eap] = ok
    (5) } # authorize = ok
    (5) Found Auth-Type = eap
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5) authenticate {
    (5) eap: Expiring EAP session with state 0x787ebb25787fbd70
    (5) eap: Finished EAP session with state 0xc566114cc11e045b
    (5) eap: Previous EAP request found for state 0xc566114cc11e045b, released from the list
    (5) eap: Peer sent packet with method EAP TTLS (21)
    (5) eap: Calling submodule eap_ttls to process data
    (5) eap_ttls: Authenticate
    (5) eap_ttls: (TLS) EAP Done initial handshake
    (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
    (5) eap_ttls: Got tunneled request
    (5) eap_ttls: EAP-Message = 0x0201000e06476172726f6e653232
    (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
    (5) eap_ttls: Sending tunneled request
    (5) Virtual server inner-tunnel received request
    (5) EAP-Message = 0x0201000e06476172726f6e653232
    (5) FreeRADIUS-Proxied-To = 127.0.0.1
    (5) User-Name = “[email protected]
    (5) State = 0x787ebb25787fbd708b134ef9ad80f37c
    (5) WARNING: Outer and inner identities are the same. User privacy is compromised.
    (5) server inner-tunnel {
    (5) session-state: No cached attributes
    (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) authorize {
    (5) policy filter_username {
    (5) if (&User-Name) {
    (5) if (&User-Name) -> TRUE
    (5) if (&User-Name) {
    (5) if (&User-Name =~ / /) {
    (5) if (&User-Name =~ / /) -> FALSE
    (5) if (&User-Name =~ /@[^@]*@/ ) {
    (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
    (5) if (&User-Name =~ /\.\./ ) {
    (5) if (&User-Name =~ /\.\./ ) -> FALSE
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
    (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
    (5) if (&User-Name =~ /\.$/) {
    (5) if (&User-Name =~ /\.$/) -> FALSE
    (5) if (&User-Name =~ /@\./) {
    (5) if (&User-Name =~ /@\./) -> FALSE
    (5) } # if (&User-Name) = notfound
    (5) } # policy filter_username = notfound
    (5) suffix: Checking for suffix after “@”
    (5) suffix: Looking up realm “iissgarrone.edu.it” for User-Name = “[email protected]
    (5) suffix: Found realm “iissgarrone.edu.it”
    (5) suffix: Adding Stripped-User-Name = “antoniocangiano”
    (5) suffix: Adding Realm = “iissgarrone.edu.it”
    (5) suffix: Authentication realm is LOCAL
    (5) [suffix] = ok
    (5) update control {
    (5) &Proxy-To-Realm := LOCAL
    (5) } # update control = noop
    (5) eap: Peer sent EAP Response (code 2) ID 1 length 14
    (5) eap: No EAP Start, assuming it’s an on-going EAP conversation
    (5) [eap] = updated
    rlm_ldap (ldap): Reserved connection (0)
    (5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
    (5) ldap: –> (uid=antoniocangiano)
    (5) ldap: Performing search in “ou=Users,dc=iissgarrone,dc=edu,dc=it” with filter “(uid=antoniocangiano)”, scope “sub”
    (5) ldap: Waiting for search result…
    (5) ldap: User object found at DN “uid=antoniocangiano,ou=Users,dc=iissgarrone,dc=edu,dc=it”
    (5) ldap: Processing user attributes
    (5) ldap: WARNING: No “known good” password added. Ensure the admin user has permission to read the password attribute
    (5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
    rlm_ldap (ldap): Released connection (0)
    Need more connections to reach 10 spares
    rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
    rlm_ldap (ldap): Waiting for bind result…
    ber_get_next failed, errno=11.
    rlm_ldap (ldap): Bind successful
    (5) [ldap] = ok
    (5) [expiration] = noop
    (5) [logintime] = noop
    (5) [pap] = noop
    (5) if (User-Password) {
    (5) if (User-Password) -> FALSE
    (5) } # authorize = updated
    (5) Found Auth-Type = eap
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) authenticate {
    (5) eap: Expiring EAP session with state 0x787ebb25787fbd70
    (5) eap: Finished EAP session with state 0x787ebb25787fbd70
    (5) eap: Previous EAP request found for state 0x787ebb25787fbd70, released from the list
    (5) eap: Peer sent packet with method EAP GTC (6)
    (5) eap: Calling submodule eap_gtc to process data
    (5) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) eap_gtc: Auth-Type PAP {
    rlm_ldap (ldap): Reserved connection (1)
    (5) ldap: Login attempt by “antoniocangiano”
    (5) ldap: Using user DN from request “uid=antoniocangiano,ou=Users,dc=iissgarrone,dc=edu,dc=it”
    (5) ldap: Waiting for bind result…
    (5) ldap: ERROR: Bind credentials incorrect: Invalid credentials
    (5) ldap: ERROR: Server said: Incorrect password.
    rlm_ldap (ldap): Released connection (1)
    Need more connections to reach 10 spares
    rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
    rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
    rlm_ldap (ldap): Waiting for bind result…
    ber_get_next failed, errno=11.
    rlm_ldap (ldap): Bind successful
    (5) eap_gtc: [ldap] = reject
    (5) eap_gtc: } # Auth-Type PAP = reject
    (5) eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 1 length 4
    (5) eap: Failed in EAP select
    (5) [eap] = invalid
    (5) } # authenticate = invalid
    (5) Failed to authenticate the user
    (5) Using Post-Auth-Type Reject
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
    (5) Post-Auth-Type REJECT {
    (5) attr_filter.access_reject: EXPAND %{User-Name}
    (5) attr_filter.access_reject: –> [email protected]
    (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (5) [attr_filter.access_reject] = updated
    (5) update outer.session-state {
    (5) &Module-Failure-Message := &request:Module-Failure-Message -> ‘ldap: Bind credentials incorrect: Invalid credentials’
    (5) } # update outer.session-state = noop
    (5) } # Post-Auth-Type REJECT = updated
    (5) } # server inner-tunnel
    (5) Virtual server sending reply
    (5) EAP-Message = 0x04010004
    (5) Message-Authenticator = 0x00000000000000000000000000000000
    (5) eap_ttls: Got tunneled Access-Reject
    (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 120 length 4
    (5) eap: Failed in EAP select
    (5) [eap] = invalid
    (5) } # authenticate = invalid
    (5) Failed to authenticate the user
    (5) Using Post-Auth-Type Reject
    (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
    (5) Post-Auth-Type REJECT {
    (5) attr_filter.access_reject: EXPAND %{User-Name}
    (5) attr_filter.access_reject: –> [email protected]
    (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (5) [attr_filter.access_reject] = updated
    (5) [eap] = noop
    (5) policy remove_reply_message_if_eap {
    (5) if (&reply:EAP-Message && &reply:Reply-Message) {
    (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
    (5) else {
    (5) [noop] = noop
    (5) } # else = noop
    (5) } # policy remove_reply_message_if_eap = noop
    (5) } # Post-Auth-Type REJECT = updated
    (5) Delaying response for 1.000000 seconds
    Waking up in 0.9 seconds.
    (5) (5) Discarding duplicate request from client test port 59681 – ID: 20 due to delayed response
    Waking up in 0.7 seconds.
    (5) Sending delayed response
    (5) Sent Access-Reject Id 20 from 192.168.1.254:1812 to 192.168.1.89:59681 length 44
    (5) EAP-Message = 0x04780004
    (5) Message-Authenticator = 0x00000000000000000000000000000000
    Waking up in 1.0 seconds.
    (0) Cleaning up request packet ID 15 with timestamp +5 due to cleanup_delay was reached
    (1) Cleaning up request packet ID 16 with timestamp +5 due to cleanup_delay was reached
    (2) Cleaning up request packet ID 17 with timestamp +5 due to cleanup_delay was reached
    (3) Cleaning up request packet ID 18 with timestamp +5 due to cleanup_delay was reached
    (4) Cleaning up request packet ID 19 with timestamp +5 due to cleanup_delay was reached
    Waking up in 2.8 seconds.
    (5) Cleaning up request packet ID 20 with timestamp +5 due to cleanup_delay was reached
    Ready to process requests

    Can you help me

  25. Tony says:

    Thanks for the instruction. I followed the steps you provided including the setting up of the Unifi Controller but am having a connection issue. could not connect using my user name and password.
    on debugging with freeradius -X, the output is below:
    Ignoring request to auth address * port 1812 bound to server default from unknown client 154.68.248.114 port 33637 proto udp.
    Please what could have gone wrong?

    1. Titus says:

      You need to add the AP IP address to your client.conf file.

  26. Shou says:

    Hello, I managed to use this tutorial successfully with Unifi Cloudkey. Sadly, I have one constraint: no certificate installation is wanted on the local device. Is there a way to make it work without this certificate part (yeah even I , when I write this, I obviously guess it’s a no). Or is there a way to use a public certificate that the machine could grab online ? Or any other suggestion…. Thx a lot

    1. You’re referring to “Generating Certificates for Windows Clients” section? Yes it might be possible to use public certificates, but I haven’t tried that.

      1. Shou says:

        Hello, I’m referring to the whole “Installing Certificates on Client Machines” , in the situation i’m facing, it’s not corporate machines that are gonna log in , so there can be no “pre-deployment” with a gpo or something and we can’t ask the users to do that (lambda users). that’s why I was wondering if a public certificate (ex: wildcard certificate generated with Godaddy) would allow us to skip such local operations. and Thanks again for this great tutorial. I can attest it works nice. The problem I face is just a “bonus” but otherwise it works.

  27. Shou says:

    oh well, just to share bit more of knowledge, this aint possible to use any public certs for freeradius… https://kiwix.ounapuu.ee/serverfault.com_en_all_2019-02/A/question/692850.html

  28. David says:

    Hi Nasir, great job! Thank you very much for this.
    I’ve one more question about dynamic vlan assignment: in our school we use 2 different VLANs, one for teachers and one for students.
    On Google Workspace side we also have 2 different user groups. Is it possible, and how, having FreeRADIUS assigns dynamically the right VLAN id to an authenticated user (teacher or student)? Thank you!

    1. Yeah must be possible, but I don’t have the configurations for it at the moment

  29. Alberto says:

    Hello Nasir, great job! and thank very much for your guide, its really fine.
    I have a question, Its possible use multiple base_dn with the same ldap server?

    Actually our server work fine (Freeradius + Google Ldap) but we have this problem, only we can validate one base_dn.

    Regards.

    1. I’m not sure about it.

Leave a Reply to Antonio Cancel reply

Your email address will not be published. Required fields are marked *