pam_ldap and 802.1x environment

Thorsten Scherf tscherf at
Tue Jan 3 15:50:53 CET 2012

On [Tue, 03.01.2012 09:28], Alan DeKok wrote:
>Thorsten Scherf wrote:
>> thus
>> another action has to take place to authenticate using 802.1x.
>  I have no idea what that means.

Well, what I meant was, before I can talk to LDAP via IP using
pam_ldap, another action has to be performed BEFORE to get network
access. I wrongly assumed, that pam_radius_auth acts like a supplicant.
Lesson learned, that this is not the case. 

I'm looking for something PAM-related that asks for 802.1x credentials
to get network access (using wpa_supplicant or something) before the 
actual login (eg, via pam_ldap) happens. Looks like this piece of code 
doesn't exists so far.
>> Again, maybe I'm completely wrong with my assumptions, if so, please
>> tell me how to setup a environment like the one described above. Also,
>> if this is not the right list to ask, can you point me to a proper list?
>  For Windows, the local machines cache credentials.  So users can log
>in *without* accessing LDAP / AD / whatever.  For Linux systems... I
>don't know.

The only solution I see so far, is to use cached credentials as you
described above. For Linux systems there compontents available like sssd
that can cache credentials, but, as said already in another mail, that
introduces other problems.

Thanks for all your feedback, much appreciated. Will stop the discussion
now, since, as Phil already mentioned a couple of times, this is not
really freeradius specific. 


More information about the Freeradius-Users mailing list