pam_ldap and 802.1x environment
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 3 15:21:25 CET 2012
On 03/01/12 12:26, Thorsten Scherf wrote:
> Ok, I should be more precise. Let's try it again. Let's say I have a
> FreeRadius server with LDAP backend. The LDAP backend contains user and
> machine objects with RADIUS and POSIX specific attributes. I now want to
> use that LDAP box to act as a backend for 802.1x access as well as
> authentication server for logins based on pam_ldap.
>
> With LDAP only I should have a PAM config like this:
>
> ...
> auth sufficient pam_ldap.so ...
> ...
>
> In a 802.1x I won't have network access before my local supplicant sends
> proper login credentials to a NAS in order to get access to the network.
> With my understanding, what would require another PAM module that is
> called before pam_ldap. Something like this:
>
> ...
> auth required pam_radius_auth.so ...
> auth sufficient pam_ldap.so ...
> ...
>
> IMHO, the pam_radius_auth is responsible to get proper network access
> that would help pam_ldap to talk to the LDAP server in order to do a
> "second level of authentication", in order to benefit from things like
> password policy and things like that. Maybe I'm completely wrong here,
> that's why I asked for some clarification.
I'm sorry, but you *are* completely wrong. You've misunderstood how PAM
works, and what pam_radius_auth does.
pam_radius_auth is "just like" pam_ldap - it checks login credentials
against a radius server, instead of an LDAP server.
pam_radius_auth DOES NOT perform 802.1x, or have anything to do with
network connectivity.
Currently, Linux systems do not integrate the 802.1x authentication with
the PAM login system. What you want to do can't be done.
The best you can do is either a)
1. Install NetworkManager
2. Create a user account per-machine
3. Define a system connection, using the per-machine account
4. Use that system connection for 802.1x, and pam_ldap for login
or b)
1. Use some kind of "cached" login to login before network is up e.g.
"sssd" or "pam_ccreds"
2. After login, use per-user 802.1x connections
Ideally, there would be a 3rd option, where a mythical PAM module
communicates the username/password to NetworkManager at login, waits for
NetworkManager to perform 802.1x, and then continues with pam_ldap and
similar - but that module does not exist.
> the LDAP server. Question now is, how does this work when user foo logs
> into his notebook by GDM or something similar?! The machine would have
> to lookup the provided user crendentials on a LDAP server - that would
> not work since no access to the network is possible at that time, thus
> another action has to take place to authenticate using 802.1x.
As above - 802.1x and login authentication are not integrated on Linux.
What you want to do, can't be done currently.
And again, this is not really a FreeRADIUS question. You might want to
ask on the NetworkManager or PAM mailing list(s) whether there are any
plans to provide "single signon" 802.1x & login authentication.
Cheers,
Phil
More information about the Freeradius-Users
mailing list