On [Tue, 03.01.2012 09:28], Alan DeKok wrote:
Thorsten Scherf wrote:
thus another action has to take place to authenticate using 802.1x.
I have no idea what that means.
Well, what I meant was, before I can talk to LDAP via IP using pam_ldap, another action has to be performed BEFORE to get network access. I wrongly assumed, that pam_radius_auth acts like a supplicant. Lesson learned, that this is not the case. I'm looking for something PAM-related that asks for 802.1x credentials to get network access (using wpa_supplicant or something) before the actual login (eg, via pam_ldap) happens. Looks like this piece of code doesn't exists so far.
Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list?
For Windows, the local machines cache credentials. So users can log in *without* accessing LDAP / AD / whatever. For Linux systems... I don't know.
The only solution I see so far, is to use cached credentials as you described above. For Linux systems there compontents available like sssd that can cache credentials, but, as said already in another mail, that introduces other problems. Thanks for all your feedback, much appreciated. Will stop the discussion now, since, as Phil already mentioned a couple of times, this is not really freeradius specific. Cheers, Thorsten