pam_ldap and 802.1x environment

Thorsten Scherf tscherf at gmail.com
Tue Jan 3 15:40:47 CET 2012


On [Tue, 03.01.2012 14:21], Phil Mayers wrote:
>Currently, Linux systems do not integrate the 802.1x authentication 
>with the PAM login system. What you want to do can't be done.

Ok, great, that's what I wanted to hear. I haven't worked with
pam_radius_auth, it was just my assumption that it behaves like
describes earlier, if this is not the case - fine. 

>The best you can do is either a)
>
> 1. Install NetworkManager
> 2. Create a user account per-machine
> 3. Define a system connection, using the per-machine account
> 4. Use that system connection for 802.1x, and pam_ldap for login
>
>or b)
>
> 1. Use some kind of "cached" login to login before network is up 
>e.g. "sssd" or "pam_ccreds"
> 2. After login, use per-user 802.1x connections

Yeah, I already had this in mind, using sssd for a cached login or
something, but this of course introduces other problems (like the
initial login of a user, things like that). I thought there might be a
more robust and easier solution. Seems I was wrong. :)

>Ideally, there would be a 3rd option, where a mythical PAM module 
>communicates the username/password to NetworkManager at login, waits 
>for NetworkManager to perform 802.1x, and then continues with 
>pam_ldap and similar - but that module does not exist.

See, my assumption was, that a combination of pam_radius_auth and
pam_ldap can be used to accomplish such a task. Thanks for making clear
that this doesn't work.

>>the LDAP server. Question now is, how does this work when user foo logs
>>into his notebook by GDM or something similar?! The machine would have
>>to lookup the provided user crendentials on a LDAP server - that would
>>not work since no access to the network is possible at that time, thus
>>another action has to take place to authenticate using 802.1x.
>
>As above - 802.1x and login authentication are not integrated on 
>Linux. What you want to do, can't be done currently.

Ok, no prob. Good to now have some clarification about that. Thanks.

Cheers,
Thorsten




More information about the Freeradius-Users mailing list