Re: Wired 802.1x Machine/User Authentication

[Dan Williams <dcbw redhat com>]

On Thu, 2008-07-24 at 00:40 -0700, Gilbert Mendoza wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greets...
> 
> Some background info first:
> I'm working on a wired 802.1x project in which I automatically assign
> per-user VLAN's and ACL's based on RADIUS user group profiles.  Machines
> and Users are all authenticated as individual security principles.  MS
> Windows 802.1x settings allow for a workstation to login automatically
> with it's own domain credentials prior to any user logging on.  However,
> once the user logs in, this initiates a reauthentication event with the
> interactive users NT credentials.  Based on the authentication result, I
> can assign to the switch port additional ACL's, change the VLAN
> dynamically, or simply keep things the same but I have detailed logs of
> who/what is logging in where.

Interesting...

> I am looking to do the same thing with NetworkManager.  I would like to
> configure the workstation to automatically authenticate with one
> particular authentication method prior to a user logging in (e.g.
> EAP-TTLS, EAP-PEAP, etc), but I want a user to be able to use their
> personalized NetworkManager 802.1x profile to reauthenticate after
> desktop access.
> 
> Question:
> - From my previous experience with xsupplicant/wpa_supplicant and NM, I
> can configure /etc/network/interfaces with static 802.1x settings to
> accomplish machine authentication.  However, this would disable a users
> ability to reauthenticate using NM, as NM would detect a manual
> configuration in place and not allow any per user settings.  Does this
> still hold true, or is there a way to work around this limitation?
> 
> I have currently only been using NM 0.6.6 which is included with Ubuntu
> 8.04 Hardy.  Not sure if later releases have made this possible.

This isn't currently possible with the NM 0.6.x branch, but 0.7 should
have the required infrastructure (system and user connections).  The
logic to do this would likely be in the user applet, since the user
applet is launched on login.  Basically, the machine would have a
system-level connection that would start when NM starts as a daemon at
system startup time, and then at login time there would be a user
connection stored in the users session (GConf for gnome, kconfig I think
for KDE) which could be activated after login when the applet starts
that contains the required user-specific credentials.

The missing bit is to have the applet somehow figure out that the
existing system connection is not good enough, and to try to activate a
specific user connection even though the system already has an active
connection.  But that's not too hard.  You could come up with a
proof-of-concept patch fairly easily, I think.  The applet, on startup,
would decide that some connection from it's local store was more
important that the current system connection, and just tell NM to
activate that one instead.

Dan