pam_ldap and 802.1x environment

Alan DeKok aland at deployingradius.com
Tue Jan 3 15:28:00 CET 2012 

Thorsten Scherf wrote:
> Ok, I should be more precise. Let's try it again. Let's say I have a
> FreeRadius server with LDAP backend. The LDAP backend contains user and
> machine objects with RADIUS and POSIX specific attributes. I now want to
> use that LDAP box to act as a backend for 802.1x access as well as
> authentication server for logins based on pam_ldap.

  Based on the rest of your message, you've confused a lot of topics.

  802.1X means that the PC does EAP (PEAP, etc.) to the RADIUS server.
The RADIUS server talks to LDAP in order to authenticate the user.

  The machine has network access AFTER 802.1X succeeds.

> In a 802.1x I won't have network access before my local supplicant sends
> proper login credentials to a NAS in order to get access to the network.

  Yes.

> With my understanding, what would require another PAM module that is
> called before pam_ldap. Something like this:

  No.  You need a supplicant.  e.g. wpa_supplicant.

  PAM *will not* help you.  Looking at PAM for a solution means you are
wasting your time.

> IMHO, the pam_radius_auth is responsible to get proper network access
> that would help pam_ldap to talk to the LDAP server in order to do a
> "second level of authentication", in order to benefit from things like
> password policy and things like that. Maybe I'm completely wrong here,
> that's why I asked for some clarification.

  pam_radius_auth uses IPv4 networking to send RADIUS packets.
Therefore, it *cannot* be used before the user has network access.

  PAM will not help you.  Discard it.

> OK, I'll try it again. User foo works for company BAR. Company BAR uses
> central organized user accounts hosted on a LDAP server. User foo has a
> notebook that doesn't have a local foo account available. In order to
> login, foo has to talk to the central LDAP server (via PAM/NSS) in order to
> authenticate and receive informations like uid, gid, homeDir, shell and
> things like that. Company BAR uses 802.1x to secure all ethernet ports.
> Now, when user foo plugs his notebook into an ethernet port that is
> secured by 802.1x, he first has to authenticate using 802.1x before he
> can talk to
> the LDAP server.

  That is how 802.1X works.  What you're missing is that 802.1X (network
access) is *completely separate* from logging into the machine.


> Question now is, how does this work when user foo logs
> into his notebook by GDM or something similar?! The machine would have
> to lookup the provided user crendentials on a LDAP server - that would
> not work since no access to the network is possible at that time, 

  Exactly.

> thus
> another action has to take place to authenticate using 802.1x.

  I have no idea what that means.

> Again, maybe I'm completely wrong with my assumptions, if so, please
> tell me how to setup a environment like the one described above. Also,
> if this is not the right list to ask, can you point me to a proper list?

  For Windows, the local machines cache credentials.  So users can log
in *without* accessing LDAP / AD / whatever.  For Linux systems... I
don't know.

  This is exactly the same as them taking the laptop home and logging in
to it there.  If that doesn't work right now, then solve that problem
first.  The same solution will apply to 802.1X in the corporate environment.

  Alan DeKok.

More information about the Freeradius-Users mailing list