Install FreeRadius

1. Install FreeRADIUS and its required packages:

apt update && apt upgrade
apt -y install freeradius freeradius-ldap freeradius-utils

2. Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:

/etc/freeradius/3.0/certs/

Rename those files to:

ldap-client.crt
ldap-client.key

3. Edit `clients.conf`:

nano /etc/freeradius/3.0/clients.conf

Add the following lines at the end (replace 192.168.1.0/24 with your LAN subnet and testing123 with a more secure secret):

client unifi {
       ipaddr          = 192.168.1.0/24
       secret          = testing123
}

4. Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default

In `authorize` section, after `pap`, add this:

if (User-Password) {
    update control {
        Auth-Type := ldap
    }
}

In `authenticate` section:

authenticate {
    Auth-Type PAP {
        ldap
    }
}

Uncomment `ldap`:

# Auth-Type LDAP {
    ldap
# }

5. Apply the same changes to `inner-tunnel` virtual server:

nano /etc/freeradius/3.0/sites-enabled/inner-tunnel

After that, execute the following commands as root to enable the ldap module:

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/ldap ldap

Now, edit the ldap module:

nano /etc/freeradius/3.0/mods-enabled/ldap

Add the following:

server = 'ldaps://ldap.google.com'
port = 636

Enter your access credentials here:

identity = 'foo'
password = bar

Enter your domain here:

base_dn = 'dc=example,dc=com'

In `tls` section:

start_tls = no

certificate_file = /etc/freeradius/3.0/certs/ldap-client.crt
private_key_file = /etc/freeradius/3.0/certs/ldap-client.key

require_cert    = 'allow'

6. Set up the `eap` module:

nano /etc/freeradius/3.0/mods-enabled/eap

In `eap` section:

default_eap_type = ttls

In `ttls` section:

default_eap_type = gtc

Save and exit.

7. Set the proxy settings:

nano /etc/freeradius/3.0/proxy.conf

Enter your domain at the end of the file:

realm example.com {

}

Save and exit.

8. Restart FreeRADIUS to apply new settings:

systemctl restart freeradius.service

9.Connect FreeRadius to GoogleWorkspace

ldap->server = 'ldaps://ldap.google.com:636'
identity = username from the application credentials
password = password from the application credentials
base_dn = ‘dc=domain,dc=com’
tls->start_tls = no
tls->certificate_file = /etc/freeradius/3.0/certs/ldap-client.cer
tls->private_key_file = /etc/freeradius/3.0/certs/ldap-client.key
tls->require_cert = ‘allow’
Comment out all fields in the breadcrumb representing the section 'ldap -> post-auth -> update'

Reference

Troubleshooting

To debug, run FreeRADIUS in debug mode:

freeradius -X

For more details, check out: https://techblog.glendaleacademy.org/freeradius/dynamic-vlans-and-g-suite

1. Install FreeRADIUS and its required packages:​

2. Upload the certificate and key files downloaded from Google G-Suite Admin account into the following directory:​

3. Edit clients.conf:​

4. Edit the default virtual server:​

In authorize section, after pap, add this:​

In authenticate section:​

Uncomment ldap:​

5. Apply the same changes to inner-tunnel virtual server:​

In tls section:​

6. Set up the eap module:​

In eap section:​

In ttls section:​

7. Set the proxy settings:​

8. Restart FreeRADIUS to apply new settings:​

9.Connect FreeRadius to GoogleWorkspace​

Reference​

Troubleshooting​