Authenticate user by NAS-IP & NAS-Port-ID instead of User-Name & Password

Alan DeKok aland at
Sat Apr 21 09:01:55 CEST 2012

Louis Arsenault wrote:
> I have a managed network switch that support MAC authentication and
> will send requests to Radius. The issue is I do not wish to keep a
> list of customer device MAC addresses for authentication. I would like
> to enforce activation by port.
> My first attempt was changing the username & password to something
> standardized like "<NAS-IP>-<NAS-Port-ID>" & "somesecurepassword"

  Did that match the user name && password in the RADIUS packet?  If
not, it's not going to work.

> When I did this though I think EAP failed with the user-name did not
> match what was on the original request.

  Saying "I think..." is bad practice.  Computers are exact.  Find out
EXACTLY what's going on.

  And go back to read what you wrote.  MAC authentication and EAP?
Those are different things.  What is REALLY happening?

> What I am looking for is what the best way to approach this scenario is.
> The 2 options I can think of is try writing a custom sql module that
> way I do not need to play with the User-Name Password or proxy the
> request and then authenticate it that way the names don't get fudged
> on the original request.

  *IF* the packets contain EAP and you want to authenticate devices by
NAS IP/port... it's impossible.  Don't even bother trying.  It won't work.

  If you're not doing EAP, that's another question.

  So... what's really going on?  MAC auth?  EAP? ....?

  Alan DeKok.

More information about the Freeradius-Users mailing list