pam_ldap and 802.1x environment

Phil Mayers p.mayers at imperial.ac.uk
Tue Jan 3 12:24:00 CET 2012


On 03/01/12 09:42, Thorsten Scherf wrote:

> I tried a combination of pam_radius_auth and pam_unix, that worked ok. I
> guess the same can be done with pam_ldap as well, needs some testing,
> though.

Sorry, I am confused.

By "secure network access" I assumed you meant "how can I use the login 
credentials to login to the network with 802.1x" - is this correct?

Neither pam_radius_auth nor pam_ldap will do that.

>> This can be done under Windows.
>>
>> Alternatively, you could just use a "machine-specific" account to
>> perform 802.1x. This can be done today with NetworkManager and a
>> "system" connection profile. This eliminates the chicken/egg issue.
>
> When I check the 802.1x settings in NM, I don't see where I can
> configure a machine account, only user-accounts which is fine. Am I
> missing something?

"Machine account" is a term specific to Windows domain authentication.

If you want a "machine account" for Linux, you'll have to create a 
normal account and put the credentials in a "system" NetworkManager 
connection definition.

>
> Mabye the whole question should be more general. Can you give me an
> example, how a desktop/notebook system (Linux or Windows based) with
> centralized user management (ldap/krb5/ad) has to configured in order to
> benefit from 802.1x benefits like dynamic vlan assignments and things
> like that?!

No sorry, that's a huge and very vague question that doesn't make a lot 
of sense. You'll need to do some research yourself, or ask more specific 
questions.

It's also not FreeRADIUS-specific.



More information about the Freeradius-Users mailing list