pam_ldap and 802.1x environment

Phil Mayers p.mayers at
Tue Jan 3 15:21:25 CET 2012

On 03/01/12 12:26, Thorsten Scherf wrote:

> Ok, I should be more precise. Let's try it again. Let's say I have a
> FreeRadius server with LDAP backend. The LDAP backend contains user and
> machine objects with RADIUS and POSIX specific attributes. I now want to
> use that LDAP box to act as a backend for 802.1x access as well as
> authentication server for logins based on pam_ldap.
> With LDAP only I should have a PAM config like this:
> ...
> auth sufficient ...
> ...
> In a 802.1x I won't have network access before my local supplicant sends
> proper login credentials to a NAS in order to get access to the network.
> With my understanding, what would require another PAM module that is
> called before pam_ldap. Something like this:
> ...
> auth required ...
> auth sufficient ...
> ...
> IMHO, the pam_radius_auth is responsible to get proper network access
> that would help pam_ldap to talk to the LDAP server in order to do a
> "second level of authentication", in order to benefit from things like
> password policy and things like that. Maybe I'm completely wrong here,
> that's why I asked for some clarification.

I'm sorry, but you *are* completely wrong. You've misunderstood how PAM 
works, and what pam_radius_auth does.

pam_radius_auth is "just like" pam_ldap - it checks login credentials 
against a radius server, instead of an LDAP server.

pam_radius_auth DOES NOT perform 802.1x, or have anything to do with 
network connectivity.

Currently, Linux systems do not integrate the 802.1x authentication with 
the PAM login system. What you want to do can't be done.

The best you can do is either a)

  1. Install NetworkManager
  2. Create a user account per-machine
  3. Define a system connection, using the per-machine account
  4. Use that system connection for 802.1x, and pam_ldap for login

or b)

  1. Use some kind of "cached" login to login before network is up e.g. 
"sssd" or "pam_ccreds"
  2. After login, use per-user 802.1x connections

Ideally, there would be a 3rd option, where a mythical PAM module 
communicates the username/password to NetworkManager at login, waits for 
NetworkManager to perform 802.1x, and then continues with pam_ldap and 
similar - but that module does not exist.

> the LDAP server. Question now is, how does this work when user foo logs
> into his notebook by GDM or something similar?! The machine would have
> to lookup the provided user crendentials on a LDAP server - that would
> not work since no access to the network is possible at that time, thus
> another action has to take place to authenticate using 802.1x.

As above - 802.1x and login authentication are not integrated on Linux. 
What you want to do, can't be done currently.

And again, this is not really a FreeRADIUS question. You might want to 
ask on the NetworkManager or PAM mailing list(s) whether there are any 
plans to provide "single signon" 802.1x & login authentication.


More information about the Freeradius-Users mailing list