pam_ldap and 802.1x environment

Thorsten Scherf tscherf at gmail.com
Tue Jan 3 13:26:55 CET 2012


On [Tue, 03.01.2012 11:24], Phil Mayers wrote:
>On 03/01/12 09:42, Thorsten Scherf wrote:
>
>>I tried a combination of pam_radius_auth and pam_unix, that worked ok. I
>>guess the same can be done with pam_ldap as well, needs some testing,
>>though.
>
>Sorry, I am confused.
>
>By "secure network access" I assumed you meant "how can I use the 
>login credentials to login to the network with 802.1x" - is this 
>correct?
>
>Neither pam_radius_auth nor pam_ldap will do that.

Ok, I should be more precise. Let's try it again. Let's say I have a
FreeRadius server with LDAP backend. The LDAP backend contains user and
machine objects with RADIUS and POSIX specific attributes. I now want to
use that LDAP box to act as a backend for 802.1x access as well as
authentication server for logins based on pam_ldap.

With LDAP only I should have a PAM config like this:

...
auth sufficient pam_ldap.so ...
...

In a 802.1x I won't have network access before my local supplicant sends
proper login credentials to a NAS in order to get access to the network.
With my understanding, what would require another PAM module that is
called before pam_ldap. Something like this:

...
auth required   pam_radius_auth.so ...
auth sufficient pam_ldap.so ...
...

IMHO, the pam_radius_auth is responsible to get proper network access
that would help pam_ldap to talk to the LDAP server in order to do a
"second level of authentication", in order to benefit from things like
password policy and things like that. Maybe I'm completely wrong here,
that's why I asked for some clarification.

>>Mabye the whole question should be more general. Can you give me an
>>example, how a desktop/notebook system (Linux or Windows based) with
>>centralized user management (ldap/krb5/ad) has to configured in order to
>>benefit from 802.1x benefits like dynamic vlan assignments and things
>>like that?!
>
>No sorry, that's a huge and very vague question that doesn't make a 
>lot of sense. You'll need to do some research yourself, or ask more 
>specific questions.

OK, I'll try it again. User foo works for company BAR. Company BAR uses 
central organized user accounts hosted on a LDAP server. User foo has a 
notebook that doesn't have a local foo account available. In order to login, 
foo has to talk to the central LDAP server (via PAM/NSS) in order to
authenticate and receive informations like uid, gid, homeDir, shell and
things like that. Company BAR uses 802.1x to secure all ethernet ports. 
Now, when user foo plugs his notebook into an ethernet port that is secured 
by 802.1x, he first has to authenticate using 802.1x before he can talk to
the LDAP server. Question now is, how does this work when user foo logs
into his notebook by GDM or something similar?! The machine would have
to lookup the provided user crendentials on a LDAP server - that would
not work since no access to the network is possible at that time, thus
another action has to take place to authenticate using 802.1x. 

Again, maybe I'm completely wrong with my assumptions, if so, please
tell me how to setup a environment like the one described above. Also,
if this is not the right list to ask, can you point me to a proper list?

Thanks.
Thorsten




More information about the Freeradius-Users mailing list