Hi. For better understanding. Here are the packets, the Catalyst sends to the radius (Cisco ACS). Captured with Ethereal. The feature (Mac-Authentication-bypass) was tested by myself, with ACS 4.0 beta and worked. The switch sends three packets like that: Radius Protocol Code: Access-Request (1) Packet identifier: 0xa9 (169) Length: 65 Authenticator: 1C3208670AF4106D1619034D1BD50526 Attribute Value Pairs AVP: l=8 t=User-Name(1): azbycx AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156 AVP: l=13 t=EAP-Message(79) Last Segment[1] AVP: l=18 t=Message-Authenticator(80): 996FDE4A9B0077AAC30FA6A8AE65BC09 They are NOT answered by the ACS-radius. Btw. WHAT is username: azbycx? Some kind of default? It is always the same username, no matter what MAC i plug into the Switch! Cisco documentation sucks big time on this! :( Why is he doing it, it was definitely not configured in CatOS. ---------------------- After that, it sends the "real" access-request: Radius Protocol Code: Access-Request (1) Packet identifier: 0x1 (1) Length: 100 Authenticator: 012E175F0CF11CB90FE21A16008B1613 Attribute Value Pairs AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156 AVP: l=6 t=NAS-Port(5): 110 AVP: l=6 t=Service-Type(6): Call-Check(10) AVP: l=19 t=Called-Station-Id(30): 00-14-1b-xx-xx-xx AVP: l=19 t=Calling-Station-Id(31): 00-0e-7f-xx-xx-xx AVP: l=6 t=NAS-Port-Type(61): Ethernet(15) AVP: l=18 t=Message-Authenticator(80): 3BF52FD5838A862CD4BFBD478515982A "Called-Station-ID" is the MAC of the Switch-Interface. "Calling-Station-ID" is the MAC that needs to be authenticated. I'd really appreciate, if someone could help me out on the freeradius mysql config, based on that scenario. Thanks. Bye Flo