0

Google's GSuite Secure LDAP does not expose userPassword.

CHAP, MSCHAP and other authentication do not send the password. They assume the server knows the password and can use a challenge.

Because GSuite SLDAP doesn't expose the password, I can't get L2TP/IPSEC or IKEv2 to authenticate. Freeradius doesn't help because it also doesn't gain access to the userPassword.

My question is:

What authentication methods would work, that also send the password? EAP? PAP? This is something I don't know much about.

Thanks!

Chemdream
  • 93
  • 1
  • 9
  • I've 100% confirmed that CHAP does not send the password. Also, using radius isn't an option because, regardless, it will need to know the password, with GSuite doesn't provide. All other directory-as-a-service seem to provide it... – Chemdream Sep 15 '20 at 21:45

1 Answers1

0

StrongSwan has a eap-radius authentication method that forwards the eap conversation to a RADIUS server.

This lets the normal no cleartext password procedure to proceed and should work with the GSuite RADIUS.

Ginnungagap
  • 2,595
  • 10
  • 13
  • In windows 10 vpn client, is eap-radius an option? – Chemdream Sep 14 '20 at 11:51
  • `eap-radius` is a server side plug-in to forward the EAP conversation to the RADIUS server so the question is whether there's an overlap between the RADIUS supported EAP methods and Windows, which is most likely yes, MSCHAPv2. – Ginnungagap Sep 14 '20 at 13:54
  • To my knowledge MSCHAPv2 doesn't send the password? It simply uses a challenge? – Chemdream Sep 14 '20 at 14:40
  • Yes, but since you're communicating with the RADIUS server directly, why would you want the cleartext password? – Ginnungagap Sep 14 '20 at 14:58
  • As I stated in the question, GSuite LDAP doesn't expose userPassword like JumpCloud or Active Directory does. MSCHAP doesn't send the password. RADIUS will have no way of knowing what the password is to actually authenticate. – Chemdream Sep 14 '20 at 18:24
  • Huh, I don't use GSuite so I don't think I fully grasp the issue. Even if it doesn't expose the password, it still has it internally right? – Ginnungagap Sep 14 '20 at 22:59