On [Tue, 03.01.2012 14:21], Phil Mayers wrote:
Currently, Linux systems do not integrate the 802.1x authentication
with the PAM login system. What you want to do can't be done.
Ok, great, that's what I wanted to hear. I haven't worked with
pam_radius_auth, it was just my assumption that it behaves like
describes earlier, if this is not the case - fine.
The best you can do is either a)
1. Install NetworkManager
2. Create a user account per-machine
3. Define a system connection, using the per-machine account
4. Use that system connection for 802.1x, and pam_ldap for login
or b)
1. Use some kind of "cached" login to login before network is up
e.g. "sssd" or "pam_ccreds"
2. After login, use per-user 802.1x connections
Yeah, I already had this in mind, using sssd for a cached login or
something, but this of course introduces other problems (like the
initial login of a user, things like that). I thought there might be a
more robust and easier solution. Seems I was wrong. :)
Ideally, there would be a 3rd option, where a mythical PAM module
communicates the username/password to NetworkManager at login, waits
for NetworkManager to perform 802.1x, and then continues with
pam_ldap and similar - but that module does not exist.
See, my assumption was, that a combination of pam_radius_auth and
pam_ldap can be used to accomplish such a task. Thanks for making clear
that this doesn't work.
the LDAP server. Question now is, how does this work when user foo logs
into his notebook by GDM or something similar?! The machine would have
to lookup the provided user crendentials on a LDAP server - that would
not work since no access to the network is possible at that time, thus
another action has to take place to authenticate using 802.1x.
As above - 802.1x and login authentication are not integrated on
Linux. What you want to do, can't be done currently.
Ok, no prob. Good to now have some clarification about that. Thanks.
Cheers,
Thorsten
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
