Again,

On Mon, Jan 5, 2015 at 8:17 PM, Marki <jm+freeradiususer@roth.lu> wrote:

In fact the switches correctly react to an Access-Accept or Access-Reject,
but don't set the VLAN correctly without EAP.

I consider this a bug as there should be a separation of concerns here. It is totally unnecessary and a layering violation to couple to EAP.
 

In fact I have a call open with Cisco about this, and it would now be great
if I had some strong arguments why using EAP here is just sick, or why some
things only work with EAP while the rest also works out-of-the-box.

I don't have a problem with EAP being used for MAC auth. A NAS could, for example, use a fixed, constant username and password to perform MAC address authentication, only passing the MAC address in the Calling-Station-Id, instructing that this value should be authenticated using the Service-Type of Call-Check.

This is useful as it means you can use a single directory account for MAC auth without having to mess around.

I do want to see Cisco implement and support a fixed, constant username and password authentication for MAB in a future IOS release. (As an option.)

If a Service-Type is missing, this is a bug where other authentication types are supported as it becomes awkward, hackish and potentially unreliable to discriminate between the type of service being used by a client. It becomes a broken NAS at this point.

Nick