Freeradius 2.1.10: authentication (uid and password) or (macaddress)?in LDAP

Alexander Clouter alex at
Thu Jul 7 21:26:38 CEST 2011

Maciej ??ukasz Wojszkun <maciej.wojszkun at> wrote:
> somebody can tell me how I should configure freeradius to authenticate 
> in order (all is in openldap):
> check mac-address in ldap
>        if exist
>                authenticate computer
>        else
>                authenticate with uid/password
> or
> try authenticate using macaddress
> if rejected - try authenticate via uid/password
The complication comes in as the initial authentication can be an EAP 
(802.1X) or a MAC-auth request.  You cannot do MAC-auth on an EAP 
request and pass back Access-Accept immediently...the client will get 
confused and probably just keep hammering your RADIUS server to 

On a wired socket, with Cisco kit at least, you do get the option to try 
a MAC-auth first, and if the RADIUS server comes back with Access-Reject 
then the switch will move into 802.1X which works *very* well.

You have not stated if you want to do this on a wired or wireless 
connection.  You have not actually stated if 802.1X is even involved and 
that this could just be a web portal.

At my workplace (a medium sized university) we store all our MAC 
addresses in LDAP and it works well for us.  If the MAC address is not 
'registered' then the client has to use an 802.1X authentication.


Alexander Clouter
.sigmonster says: When you don't know what to do, walk fast and look worried.

More information about the Freeradius-Users mailing list