MAC Authentication - Bad Idea?

[Jim Rice]

Greetings,

Still a newbie, but getting there...  (Alan, do you ever sleep?)

I have been asked to implement MAC authentication for a local service provider with a Canopy radio network and MikroTik routers.  No, really.

I was able to test this and received Accept-Accept after placing the MAC address in the UserName (Password is ""), but had to set Auth-Type := Accept.

I haven't found much in the way of documentation regarding MAC authentication in some of the "dated" books I have on Radius and 802.1x, nor in the FreeRadius docs.

The goal is to provide for different classes of service, bandwidth management, accounting, etc.  I imagine some of this can be done through vendor specific attributes to dynamically configure the routers (VLANs, data rates, priority queues and such), based on which group a user belongs.

Dumb question #1:  Just because you can do a thing, it doesn't mean you should.  Can someone give me the "you idiot" speech and talk me out of this?

Deploying client certificates to every device in their network seems an administrative nightmare.  Using usernames/passwords doesn't make sense since most devices will always be connected.  In the days of dial-up, users understood having to "login" to connect.  Today, not so much.

So, are there better alternatives?  Or am I still just a clueless newbie?

Thanks for your patience,

Jim