pam_ldap and 802.1x environment

Phil Mayers p.mayers at
Tue Jan 3 10:19:18 CET 2012

On 01/02/2012 11:45 PM, Thorsten Scherf wrote:
> Hey,
> this is a comprehension question. When I have a ldap directory to
> authenticate users with pam_ldap when they login to their local
> workstations, how can I secure network access with radius?! I mean,
> isn't that a chicken egg problem? How would I be able to talk to the
> ldap server before I sucessfully authenticated against Radius? For sure
> I do miss something, would be great if somebody could enlighten me. :)

If you want to use the login credentials to speak 802.1x, it can't be 
done currently, as far as I know; you would need some kind of PAM module 
that spoke to the system 802.1x supplicant. As far as I'm aware, there 
is no such module.

This can be done under Windows.

Alternatively, you could just use a "machine-specific" account to 
perform 802.1x. This can be done today with NetworkManager and a 
"system" connection profile. This eliminates the chicken/egg issue.

Anyway, this is not a FreeRADIUS question - you should ask around the 
PAM lists, or maybe ask the Gnome/NetworkManager guys.

More information about the Freeradius-Users mailing list