Do these switches or APs not use a Service-Type of Call-Check when performing MAC auth then? I would be barking at the vendor if that was missing. While using an EAP type is rather pointless for MAC address authentication, there isn't an intrinsic problem doing so. I don't think it's idiotic. It's where an appropriate, discriminating Service-Type AVP is missing for CWP auth, MAC auth or something else that it is a problem and you have to shout at the NAS vendor to get it resolved. That's the idiotic part. (But let's not forget it's easy to spoof a MAC address on many devices.) There are other bigger fish to fry too, a bigger issue is where CWP authentication on an AP doesn't use a TLS-based EAP type while carrying user credentials. (While I don't use these personally, many others do. Yes there are other attacks against CWPs but this doesn't negate this.) Nick