pam_ldap and 802.1x environment
Thorsten Scherf
tscherf at gmail.com
Tue Jan 3 10:42:12 CET 2012
On [Tue, 03.01.2012 09:19], Phil Mayers wrote:
>On 01/02/2012 11:45 PM, Thorsten Scherf wrote:
>>Hey,
>>
>>this is a comprehension question. When I have a ldap directory to
>>authenticate users with pam_ldap when they login to their local
>>workstations, how can I secure network access with radius?! I mean,
>>isn't that a chicken egg problem? How would I be able to talk to the
>>ldap server before I sucessfully authenticated against Radius? For sure
>>I do miss something, would be great if somebody could enlighten me. :)
>
>If you want to use the login credentials to speak 802.1x, it can't be
>done currently, as far as I know; you would need some kind of PAM
>module that spoke to the system 802.1x supplicant. As far as I'm
>aware, there is no such module.
I tried a combination of pam_radius_auth and pam_unix, that worked ok. I
guess the same can be done with pam_ldap as well, needs some testing,
though.
>This can be done under Windows.
>
>Alternatively, you could just use a "machine-specific" account to
>perform 802.1x. This can be done today with NetworkManager and a
>"system" connection profile. This eliminates the chicken/egg issue.
When I check the 802.1x settings in NM, I don't see where I can
configure a machine account, only user-accounts which is fine. Am I
missing something?
Mabye the whole question should be more general. Can you give me an
example, how a desktop/notebook system (Linux or Windows based) with
centralized user management (ldap/krb5/ad) has to configured in order to
benefit from 802.1x benefits like dynamic vlan assignments and things
like that?!
Cheers,
Thorsten
More information about the Freeradius-Users
mailing list