On [Tue, 03.01.2012 14:21], Phil Mayers wrote:
Currently, Linux systems do not integrate the 802.1x authentication with the PAM login system. What you want to do can't be done.
Ok, great, that's what I wanted to hear. I haven't worked with pam_radius_auth, it was just my assumption that it behaves like describes earlier, if this is not the case - fine.
The best you can do is either a)
1. Install NetworkManager 2. Create a user account per-machine 3. Define a system connection, using the per-machine account 4. Use that system connection for 802.1x, and pam_ldap for login
or b)
1. Use some kind of "cached" login to login before network is up e.g. "sssd" or "pam_ccreds" 2. After login, use per-user 802.1x connections
Yeah, I already had this in mind, using sssd for a cached login or something, but this of course introduces other problems (like the initial login of a user, things like that). I thought there might be a more robust and easier solution. Seems I was wrong. :)
Ideally, there would be a 3rd option, where a mythical PAM module communicates the username/password to NetworkManager at login, waits for NetworkManager to perform 802.1x, and then continues with pam_ldap and similar - but that module does not exist.
See, my assumption was, that a combination of pam_radius_auth and pam_ldap can be used to accomplish such a task. Thanks for making clear that this doesn't work.
the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x.
As above - 802.1x and login authentication are not integrated on Linux. What you want to do, can't be done currently.
Ok, no prob. Good to now have some clarification about that. Thanks. Cheers, Thorsten