Hey, this is a comprehension question. When I have a ldap directory to authenticate users with pam_ldap when they login to their local workstations, how can I secure network access with radius?! I mean, isn't that a chicken egg problem? How would I be able to talk to the ldap server before I sucessfully authenticated against Radius? For sure I do miss something, would be great if somebody could enlighten me. :)
On 01/02/2012 11:45 PM, Thorsten Scherf wrote:
Hey,
this is a comprehension question. When I have a ldap directory to authenticate users with pam_ldap when they login to their local workstations, how can I secure network access with radius?! I mean, isn't that a chicken egg problem? How would I be able to talk to the ldap server before I sucessfully authenticated against Radius? For sure I do miss something, would be great if somebody could enlighten me. :)
If you want to use the login credentials to speak 802.1x, it can't be done currently, as far as I know; you would need some kind of PAM module that spoke to the system 802.1x supplicant. As far as I'm aware, there is no such module. This can be done under Windows. Alternatively, you could just use a "machine-specific" account to perform 802.1x. This can be done today with NetworkManager and a "system" connection profile. This eliminates the chicken/egg issue. Anyway, this is not a FreeRADIUS question - you should ask around the PAM lists, or maybe ask the Gnome/NetworkManager guys.
On [Tue, 03.01.2012 09:19], Phil Mayers wrote:
On 01/02/2012 11:45 PM, Thorsten Scherf wrote:
Hey,
this is a comprehension question. When I have a ldap directory to authenticate users with pam_ldap when they login to their local workstations, how can I secure network access with radius?! I mean, isn't that a chicken egg problem? How would I be able to talk to the ldap server before I sucessfully authenticated against Radius? For sure I do miss something, would be great if somebody could enlighten me. :)
If you want to use the login credentials to speak 802.1x, it can't be done currently, as far as I know; you would need some kind of PAM module that spoke to the system 802.1x supplicant. As far as I'm aware, there is no such module.
I tried a combination of pam_radius_auth and pam_unix, that worked ok. I guess the same can be done with pam_ldap as well, needs some testing, though.
This can be done under Windows.
Alternatively, you could just use a "machine-specific" account to perform 802.1x. This can be done today with NetworkManager and a "system" connection profile. This eliminates the chicken/egg issue.
When I check the 802.1x settings in NM, I don't see where I can configure a machine account, only user-accounts which is fine. Am I missing something? Mabye the whole question should be more general. Can you give me an example, how a desktop/notebook system (Linux or Windows based) with centralized user management (ldap/krb5/ad) has to configured in order to benefit from 802.1x benefits like dynamic vlan assignments and things like that?! Cheers, Thorsten
On 03/01/12 09:42, Thorsten Scherf wrote:
I tried a combination of pam_radius_auth and pam_unix, that worked ok. I guess the same can be done with pam_ldap as well, needs some testing, though.
Sorry, I am confused. By "secure network access" I assumed you meant "how can I use the login credentials to login to the network with 802.1x" - is this correct? Neither pam_radius_auth nor pam_ldap will do that.
This can be done under Windows.
Alternatively, you could just use a "machine-specific" account to perform 802.1x. This can be done today with NetworkManager and a "system" connection profile. This eliminates the chicken/egg issue.
When I check the 802.1x settings in NM, I don't see where I can configure a machine account, only user-accounts which is fine. Am I missing something?
"Machine account" is a term specific to Windows domain authentication. If you want a "machine account" for Linux, you'll have to create a normal account and put the credentials in a "system" NetworkManager connection definition.
Mabye the whole question should be more general. Can you give me an example, how a desktop/notebook system (Linux or Windows based) with centralized user management (ldap/krb5/ad) has to configured in order to benefit from 802.1x benefits like dynamic vlan assignments and things like that?!
No sorry, that's a huge and very vague question that doesn't make a lot of sense. You'll need to do some research yourself, or ask more specific questions. It's also not FreeRADIUS-specific.
On [Tue, 03.01.2012 11:24], Phil Mayers wrote:
On 03/01/12 09:42, Thorsten Scherf wrote:
I tried a combination of pam_radius_auth and pam_unix, that worked ok. I guess the same can be done with pam_ldap as well, needs some testing, though.
Sorry, I am confused.
By "secure network access" I assumed you meant "how can I use the login credentials to login to the network with 802.1x" - is this correct?
Neither pam_radius_auth nor pam_ldap will do that.
Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap. With LDAP only I should have a PAM config like this: ... auth sufficient pam_ldap.so ... ... In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network. With my understanding, what would require another PAM module that is called before pam_ldap. Something like this: ... auth required pam_radius_auth.so ... auth sufficient pam_ldap.so ... ... IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a "second level of authentication", in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification.
Mabye the whole question should be more general. Can you give me an example, how a desktop/notebook system (Linux or Windows based) with centralized user management (ldap/krb5/ad) has to configured in order to benefit from 802.1x benefits like dynamic vlan assignments and things like that?!
No sorry, that's a huge and very vague question that doesn't make a lot of sense. You'll need to do some research yourself, or ask more specific questions.
OK, I'll try it again. User foo works for company BAR. Company BAR uses central organized user accounts hosted on a LDAP server. User foo has a notebook that doesn't have a local foo account available. In order to login, foo has to talk to the central LDAP server (via PAM/NSS) in order to authenticate and receive informations like uid, gid, homeDir, shell and things like that. Company BAR uses 802.1x to secure all ethernet ports. Now, when user foo plugs his notebook into an ethernet port that is secured by 802.1x, he first has to authenticate using 802.1x before he can talk to the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x. Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list? Thanks. Thorsten
On 03/01/12 12:26, Thorsten Scherf wrote:
Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap.
With LDAP only I should have a PAM config like this:
... auth sufficient pam_ldap.so ... ...
In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network. With my understanding, what would require another PAM module that is called before pam_ldap. Something like this:
... auth required pam_radius_auth.so ... auth sufficient pam_ldap.so ... ...
IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a "second level of authentication", in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification.
I'm sorry, but you *are* completely wrong. You've misunderstood how PAM works, and what pam_radius_auth does. pam_radius_auth is "just like" pam_ldap - it checks login credentials against a radius server, instead of an LDAP server. pam_radius_auth DOES NOT perform 802.1x, or have anything to do with network connectivity. Currently, Linux systems do not integrate the 802.1x authentication with the PAM login system. What you want to do can't be done. The best you can do is either a) 1. Install NetworkManager 2. Create a user account per-machine 3. Define a system connection, using the per-machine account 4. Use that system connection for 802.1x, and pam_ldap for login or b) 1. Use some kind of "cached" login to login before network is up e.g. "sssd" or "pam_ccreds" 2. After login, use per-user 802.1x connections Ideally, there would be a 3rd option, where a mythical PAM module communicates the username/password to NetworkManager at login, waits for NetworkManager to perform 802.1x, and then continues with pam_ldap and similar - but that module does not exist.
the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x.
As above - 802.1x and login authentication are not integrated on Linux. What you want to do, can't be done currently. And again, this is not really a FreeRADIUS question. You might want to ask on the NetworkManager or PAM mailing list(s) whether there are any plans to provide "single signon" 802.1x & login authentication. Cheers, Phil
On [Tue, 03.01.2012 14:21], Phil Mayers wrote:
Currently, Linux systems do not integrate the 802.1x authentication with the PAM login system. What you want to do can't be done.
Ok, great, that's what I wanted to hear. I haven't worked with pam_radius_auth, it was just my assumption that it behaves like describes earlier, if this is not the case - fine.
The best you can do is either a)
1. Install NetworkManager 2. Create a user account per-machine 3. Define a system connection, using the per-machine account 4. Use that system connection for 802.1x, and pam_ldap for login
or b)
1. Use some kind of "cached" login to login before network is up e.g. "sssd" or "pam_ccreds" 2. After login, use per-user 802.1x connections
Yeah, I already had this in mind, using sssd for a cached login or something, but this of course introduces other problems (like the initial login of a user, things like that). I thought there might be a more robust and easier solution. Seems I was wrong. :)
Ideally, there would be a 3rd option, where a mythical PAM module communicates the username/password to NetworkManager at login, waits for NetworkManager to perform 802.1x, and then continues with pam_ldap and similar - but that module does not exist.
See, my assumption was, that a combination of pam_radius_auth and pam_ldap can be used to accomplish such a task. Thanks for making clear that this doesn't work.
the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x.
As above - 802.1x and login authentication are not integrated on Linux. What you want to do, can't be done currently.
Ok, no prob. Good to now have some clarification about that. Thanks. Cheers, Thorsten
Thorsten Scherf wrote:
Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap.
Based on the rest of your message, you've confused a lot of topics. 802.1X means that the PC does EAP (PEAP, etc.) to the RADIUS server. The RADIUS server talks to LDAP in order to authenticate the user. The machine has network access AFTER 802.1X succeeds.
In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network.
Yes.
With my understanding, what would require another PAM module that is called before pam_ldap. Something like this:
No. You need a supplicant. e.g. wpa_supplicant. PAM *will not* help you. Looking at PAM for a solution means you are wasting your time.
IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a "second level of authentication", in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification.
pam_radius_auth uses IPv4 networking to send RADIUS packets. Therefore, it *cannot* be used before the user has network access. PAM will not help you. Discard it.
OK, I'll try it again. User foo works for company BAR. Company BAR uses central organized user accounts hosted on a LDAP server. User foo has a notebook that doesn't have a local foo account available. In order to login, foo has to talk to the central LDAP server (via PAM/NSS) in order to authenticate and receive informations like uid, gid, homeDir, shell and things like that. Company BAR uses 802.1x to secure all ethernet ports. Now, when user foo plugs his notebook into an ethernet port that is secured by 802.1x, he first has to authenticate using 802.1x before he can talk to the LDAP server.
That is how 802.1X works. What you're missing is that 802.1X (network access) is *completely separate* from logging into the machine.
Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time,
Exactly.
thus another action has to take place to authenticate using 802.1x.
I have no idea what that means.
Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list?
For Windows, the local machines cache credentials. So users can log in *without* accessing LDAP / AD / whatever. For Linux systems... I don't know. This is exactly the same as them taking the laptop home and logging in to it there. If that doesn't work right now, then solve that problem first. The same solution will apply to 802.1X in the corporate environment. Alan DeKok.
On [Tue, 03.01.2012 09:28], Alan DeKok wrote:
Thorsten Scherf wrote:
thus another action has to take place to authenticate using 802.1x.
I have no idea what that means.
Well, what I meant was, before I can talk to LDAP via IP using pam_ldap, another action has to be performed BEFORE to get network access. I wrongly assumed, that pam_radius_auth acts like a supplicant. Lesson learned, that this is not the case. I'm looking for something PAM-related that asks for 802.1x credentials to get network access (using wpa_supplicant or something) before the actual login (eg, via pam_ldap) happens. Looks like this piece of code doesn't exists so far.
Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list?
For Windows, the local machines cache credentials. So users can log in *without* accessing LDAP / AD / whatever. For Linux systems... I don't know.
The only solution I see so far, is to use cached credentials as you described above. For Linux systems there compontents available like sssd that can cache credentials, but, as said already in another mail, that introduces other problems. Thanks for all your feedback, much appreciated. Will stop the discussion now, since, as Phil already mentioned a couple of times, this is not really freeradius specific. Cheers, Thorsten
participants (3)
-
Alan DeKok -
Phil Mayers -
Thorsten Scherf