FreeRadius MAC address authorization (no authentication)

Ramot Lubis ramot.lubis at
Fri Aug 8 08:16:56 CEST 2008

Yes, I aim not to install hotfix in Windows XP client.

My main purpose is to check valid MAC address of every Wireless Device
(with Windows XP SP2).
Based on "radiusd -X" log in my previous email, I tried to conclude
that even in Authorization phase, calling-station-id has been
validated to be match with MAC address data in SQL db. In this case, I
don't need further Authentication phase.

However, I dont know how to configure radius server to ignore
authentication phase. Is there any idea for me to follow?

thanks in advance.

On Fri, Aug 8, 2008 at 12:44 PM, Alan DeKok <aland at> wrote:
> Ramot Lubis wrote:
>> Hi, I'm trying  to implement FreeRadius to authenticate Wireless
>> CLient based on MAC address only, unfortunately all my wireless client
>> using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are
>> not leading me to the right direction.
>  Could you explain?
>> Besides, I will not burden my
>> Windows XP SP2 client to search hotfix for EAP/TLS compatibility with
>> FreeRadius.
>  Does that mean you won't be installing the hotfix?  If so, it's likely
> that XP may not work.  And it's not "compatibility with FreeRADIUS",
> it's "following the standards".  FreeRADIUS works with every other
> supplicant that exists.  Microsoft keeps breaking their supplicants with
> new releases of their OS, and *every* RADIUS server has to change in
> order to "be compatible".
>> After digging more, I realize that Authorization using checkval module
>> is enough to verified valid MAC address from Wireless Client.
>  I would not use the checkval module.  Try using another module.
>> But my
>> question is how can I use only Authorization where Authentication will
>> always return Access-Accept.
>  You can do MAC address checking in the "authorization" stage.
>> Here is my radiusd -X output:
> ...
>>         EAP-Message =
>> 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72
>>         Message-Authenticator = 0x891b437263cd48909255484bb081c823
> ...
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>  You edited the default configuration and broke it.  Don't do that.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list