Freedarius to g suite using mikrotik does it possible?

syahwanius · April 8, 2021, 7:15am

Hello i was using router CCR1016-12G
i want using radius (freeradius) for connecting l2tp as user (not from dolaradius but from g suite) does it possible? currently i was setting up the wifi using unifi for wifi (using freeradius using ldap g suite and works), and freeradius (dolaradius) as winbox user (works)
i’m using this method for freeradius to unifi (as user wifi) https://www.nasirhafeez.com/freeradius-with-google-g-suite-workspace-secure-ldap-for-wpa2-enterprise-wifi/ and my freeradius server on 10.10.30.57
my config /etc/freeradius/3.0/clients.conf:

client LDAP {
       ipaddr          = 0.0.0.0/0
       secret          = secret
       nastype         = other
}

and already setting up on mikrotik (on pic), but still can’t login using g suite account, anyone have tried this method?

syahwanius · May 31, 2021, 10:57am

Any help guys? or mikrotik was not support g suite authentication from freeradius? because i testing using raidtest my email was accpted from different vm

joegoldman · May 31, 2021, 11:50am

Mikrotik supports RADIUS.

FreeRADIUS talking to G Suite is not in Mikrotik’s purview - if there is a problem, and you know that FreeRADIUS to G Suite is working, you need to debug why Mikrotik to FreeRADIUS is not - you can set Mikrotik logs down to debug level for Radius and see the raw radius packets sent and received - those packets will tell you what the issue is.

normanvillas · July 1, 2021, 6:20am

Good day guys,

Bumping on this. We have the same issue, though FreeRadius and Gsuite can communicate and accept auth. However, Mikrotik to FreeRadius is the issue.

Let me know if you’ve figured this out. I’m also doing some testing in my test bed.

Thanks!

pattanadevelop · December 7, 2022, 4:01am

how to step by step config FreeRadius and Gsuite pls.

binooetomo · March 11, 2023, 6:32am

GSuite is LDAP
You can read https://www.nasirhafeez.com/freeradius-with-google-g-suite-workspace-secure-ldap-for-wpa2-enterprise-wifi/

adamgardner2 · June 13, 2024, 1:49am

Unfortunately, this seems like it will never be possible for any RouterOS feature other than WiFi and IPSEC. This is because G-Suite’s Secure LDAP Server does not expose the password to FreeRADIUS in clear text, so the only RADIUS authentication method FreeRADIUS can use is some variation on PAP. WiFI and IPSEC will work because they allow you to control the authentication method used, and so you can set it to PAP (or EAP-TTLS, which encapsulates PAP). Allegedly at one point SSH, Telnet, and FTP also used PAP (and only PAP), although in my testing on 7.15.1 I see it using MSCHAP instead. Other use cases, like authentication via Winbox, or using RADIUS for PPP logins, don’t let you select the authentication protocol. They don’t use PAP, you cannot make them use PAP, and Google’s Secure LDAP Service isn’t compatible with anything but PAP, because to use anything else, the LDAP server would have to send the cleartext password to RADIUS server, which Google’s LDAP implementation will not do (I think it’s very unlikely that they store the cleartext password at all, so they couldn’t send it if they wanted to).

Maybe by RouterOS 8 they’ll add generalized support for selecting a RADIUS authentication, so that rather than a simple “use RADIUS” checkbox, everywhere that uses RADIUS gets a full set of configuration options.