A relative Linux newbie, certainly in the corporate space.

What I am trying to do, authenticate users when they login to clients using a central LDAP server whilst at the same time using 802.1x to authenticate those same users to the network. The Radius server uses the same backend LDAP server to authenticate the 802.1x requests. I am using EAP-TLS and certificates for the 802.1x and LDAPS for the LDAP authentication.

Using SUSE Enterprise Server and Desktop 11 SP2 (Free 60 Day Eval) and Free Radius.

  • The central LDAPS authentication is working fine when no 802.1x auth used on the network.
  • 802.1x authentication is working fine when logged on as a local user with network profile configured for that user (but using the central LDAPS user account) and default system network profile not visible to all.
  • When the default system network profile is configured and made visible to all, I can log on and authenticate to the central LDAP server as any of my test users, however the user that authenticates using 802.1x to the network is always the user that is configured for the default system connection (root or whoever I choose) and not the LDAP authenticated user that has logged in to the computer.



If the default network profile is not made visible to all user, when nobody is logged in to the computer the network connection is dropped and thus LDAP authenticated users are unable to login.

Basically what I need is that the centrally authenticated LDAP users that logs on to the computer is the same one that 802.1x authenticates to the network.

I think the back end infrastructure is setup to allow me to do what I want and I am just struggling with the client configuration. Happy to be proved wrong on that though.

My research so far suggests that this is not possible and the only way to achieve something that would look similar is to have two user accounts for each user, one local with its network profile configured with the central account from the LDAP server.

Is there a way to configure Linux to do what I am trying to achieve or is it impossible at moment?

Regards
Jim