• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WiFi authentication with FreeRADIUS and Google LDAP

Wireless
5
7
3.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    datafaber
    last edited by Feb 21, 2019, 3:48 PM

    Hello,

    I'm having issues in using pfSense 2.4.4p2 and its FreeRADIUS package to implement 802.1x authentication on wired and wireless networks with dynamic VLAN allocation, with users declared in Google Cloud Identity.

    I've defined a LDAP client in Google's console, given it the correct right to read user and group informations and verify user credentials, and I've imported the certificates in pfSense's Certificate Manager.

    I've tried several different configurations in FreeRADIUS, but no matter what I configure I'm unable to authenticate my client and I'm not getting an IP address. I've checked Google's LDAP audit logs and I see FreeRADIUS successfully binding and executing a search for the user I'm trying to log on as.

    I've looked at https://docs.netgate.com/pfsense/en/latest/usermanager/google-gsuite-auth-source.html but that page is for a different use case than the one I'm trying to implement.

    I've managed to implement 802.1x with the same pfSense + FreeRADIUS setup and Unifi UAP-AC-PRO access points, but I had to configure users and password in FreeRADIUS itself.

    Has anyone managed to make it work with Google LDAP?

    Thanks in advance for any help.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Feb 21, 2019, 7:14 PM

      I don't think that FreeRADIUS+LDAP supports using LDAP client certificates, which is required by Google LDAP. Maybe try the stunnel method explained in the doc, but point FreeRADIUS at the local end of the stunnel connection.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • D
        datafaber
        last edited by Feb 22, 2019, 4:23 PM

        I've tried the stunnel method, it successfully binds to Google LDAP but I get the same kind of errors:

        Feb 22 16:19:45 	radiusd 	68008 	rlm_ldap (ldap): Opening additional connection (9), 1 of 2 pending slots used
Feb 22 16:19:45 	stunnel 		LOG5[12]: Service [Google LDAP] accepted connection from 127.0.0.1:20026
Feb 22 16:19:45 	stunnel 		LOG6[12]: s_connect: connecting 216.239.32.58:636
Feb 22 16:19:45 	stunnel 		LOG5[12]: s_connect: connected 216.239.32.58:636
Feb 22 16:19:45 	stunnel 		LOG5[12]: Service [Google LDAP] connected remote server from 192.168.4.133:20553
Feb 22 16:19:45 	stunnel 		LOG6[12]: SNI: sending servername: ldap.google.com
Feb 22 16:19:45 	stunnel 		LOG6[12]: Peer certificate not required
Feb 22 16:19:45 	stunnel 		LOG6[12]: TLS connected: previous session reused
Feb 22 16:19:45 	stunnel 		LOG6[12]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Feb 22 16:19:46 	radiusd 	68008 	Need 1 more connections to reach min connections (5)
Feb 22 16:19:46 	radiusd 	68008 	rlm_ldap (ldap): Opening additional connection (10), 1 of 1 pending slots used
Feb 22 16:19:46 	stunnel 		LOG5[13]: Service [Google LDAP] accepted connection from 127.0.0.1:64932
Feb 22 16:19:46 	stunnel 		LOG6[13]: s_connect: connecting 216.239.32.58:636
Feb 22 16:19:46 	stunnel 		LOG5[13]: s_connect: connected 216.239.32.58:636
Feb 22 16:19:46 	stunnel 		LOG5[13]: Service [Google LDAP] connected remote server from 192.168.4.133:9142
Feb 22 16:19:46 	stunnel 		LOG6[13]: SNI: sending servername: ldap.google.com
Feb 22 16:19:46 	stunnel 		LOG6[13]: Peer certificate not required
Feb 22 16:19:46 	stunnel 		LOG6[13]: TLS connected: previous session reused
Feb 22 16:19:46 	stunnel 		LOG6[13]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Feb 22 16:19:47 	radiusd 	68008 	(98) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34 via TLS tunnel) myuser@example.com
Feb 22 16:19:47 	radiusd 	68008 	(99) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Feb 22 16:19:47 	radiusd 	68008 	(99) eap_peap: to find out the reason why the user was rejected
Feb 22 16:19:47 	radiusd 	68008 	(99) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Feb 22 16:19:47 	radiusd 	68008 	(99) eap_peap: what went wrong, and how to fix the problem
Feb 22 16:19:47 	radiusd 	68008 	(99) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34) myuser@example.com
Feb 22 16:19:55 	radiusd 	68008 	(108) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34 via TLS tunnel) myuser@example.com
Feb 22 16:19:55 	radiusd 	68008 	(109) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Feb 22 16:19:55 	radiusd 	68008 	(109) eap_peap: to find out the reason why the user was rejected
Feb 22 16:19:55 	radiusd 	68008 	(109) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Feb 22 16:19:55 	radiusd 	68008 	(109) eap_peap: what went wrong, and how to fix the problem
Feb 22 16:19:55 	radiusd 	68008 	(109) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34) myuser@example.com
Feb 22 16:19:56 	radiusd 	68008 	(118) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34 via TLS tunnel) myuser@example.com
Feb 22 16:19:56 	radiusd 	68008 	(119) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Feb 22 16:19:56 	radiusd 	68008 	(119) eap_peap: to find out the reason why the user was rejected
Feb 22 16:19:56 	radiusd 	68008 	(119) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Feb 22 16:19:56 	radiusd 	68008 	(119) eap_peap: what went wrong, and how to fix the problem
Feb 22 16:19:56 	radiusd 	68008 	(119) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34) myuser@example.com

        The password is definitely OK, since in Diagnostics > Authentication the same login and password work perfectly.

        I've also tried to add a user in the User Manager whose login is the same as the uid in Google LDAP, but without any password, and I get the following error:

        Feb 22 16:24:35 	radiusd 	57636 	rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
Feb 22 16:24:35 	stunnel 		LOG5[23]: Service [Google LDAP] accepted connection from 127.0.0.1:17158
Feb 22 16:24:35 	stunnel 		LOG6[23]: s_connect: connecting 216.239.32.58:636
Feb 22 16:24:35 	stunnel 		LOG5[23]: s_connect: connected 216.239.32.58:636
Feb 22 16:24:35 	stunnel 		LOG5[23]: Service [Google LDAP] connected remote server from 192.168.4.133:59393
Feb 22 16:24:35 	stunnel 		LOG6[23]: SNI: sending servername: ldap.google.com
Feb 22 16:24:35 	stunnel 		LOG6[23]: Peer certificate not required
Feb 22 16:24:35 	stunnel 		LOG6[23]: TLS connected: previous session reused
Feb 22 16:24:35 	stunnel 		LOG6[23]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Feb 22 16:24:36 	radiusd 	57636 	(6) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34 via TLS tunnel) myuser@example.com
Feb 22 16:24:36 	radiusd 	57636 	(6) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [myuser@example.com] (from client ap01 port 0 cli 3C-28-6D-27-66-34) myuser@example.com

        I can't see what I'm doing wrong, it seems like I'm close to a solution but there are some missing steps which I'm not getting.

        1 Reply Last reply Reply Quote 0
        • W
          weehooey
          last edited by Jun 28, 2019, 1:30 AM

          Were you able to get this to work?

          We are using Google Cloud Identity to authenticate with the pfSense and OpenVPN but we would like to add two-factor authentication. Thinking if we could point FreeRADIUS to Google Cloud Identity, we could then layer on 2FA.

          Any help or suggestions would be appreciated.

          1 Reply Last reply Reply Quote 0
          • D
            datafaber
            last edited by Jun 28, 2019, 5:37 PM

            Unfortunately I couldn't get this to work, and I've since then left that company so I don't know if they've managed to make it work.

            W 1 Reply Last reply Sep 2, 2023, 12:41 AM Reply Quote 0
            • W
              willb0t @datafaber
              last edited by willb0t Sep 2, 2023, 12:45 AM Sep 2, 2023, 12:41 AM

              @datafaber & @weehooey So I have freeradius3 working on my pfsense fw, both as a ldap authentication under user manager and ldap over ssl with bind to ldap.google.com using google provided cert.
              It involved manually editing the conf files, if you make any changes in the web ui it will over write with the incorrect settings.
              I am documenting this as I need to take this from test env to real even for 2fa.

              https://www.nasirhafeez.com/freeradius-with-google-g-suite-workspace-secure-ldap-for-wpa2-enterprise-wifi/
              following this article I was able to get an ubuntu vm running and connecting freeradius3 to google ldap. then adapting it to follow how the pfsense freeradius wants it.

              I uploaded the crt and key into cert manager on pfsense.
              defined everything in the gui like bind user / pass

              Setup the two interface ports
              login-to-view
              I did the NAS/Client
              login-to-view
              I checked disable weak EAP types: MD5 and GTC and set Default EAP type to TTLS
              login-to-view

              Selected SSL Server Cert to my google imported cert
              login-to-view
              Set EAP TTLS Default EAP Type to GTC
              login-to-view

              Enabled both LDAP Auth
              plugged in Server address ldap.google.com port 636 and bind user / password
              login-to-view

              Enable TLS support, selected my SSL Server Cert imported from google and set Verification to ALLOW
              login-to-view

              fun part editing manually:

              Edit the default virtual server:

              nano /etc/freeradius/3.0/sites-enabled/default which is /usr/local/etc/raddb/sites-enabled/default
              In authorize section after pap add this:

                  if (User-Password) {
        update control {
               Auth-Type := ldap
        }
    }

              making it look like this following the working config from the running freeradius3 server
              login-to-view

              once restarted the radiusd service I was able to authenticate using the radius server under Authentication Servers
              login-to-view

              login-to-view

              What I could use help with is getting the syntax correct for groups membership in ldap to show up in freeradius.

              login-to-view

              L 1 Reply Last reply 30 days ago Reply Quote 2
              • L
                laurens.DS @willb0t
                last edited by 30 days ago

                @willb0t Has anyone done this recently. ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.