Hi, our Freeradius is working fine with PEAP (NT hash passwords stored in Openldap). We'd like to add MAC authorization using Mysql: only people with MAC contained in radcheck should have access (provided they also type in the right password!). Radcheck has only one entry: +----+----------------------------+--------------------+----+-------------------+ | id | username | attribute | op | value | +----+----------------------------+--------------------+----+-------------------+ | 1 | uto.ughi@studenti.unipd.it | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 | +----+----------------------------+--------------------+----+-------------------+ The problem is that uto.ughi@studenti.unipd.it gets an AccessAccept packet, regardless of his Calling-Station-Id. Don't know if it's related but strangely (to me) when uto.ughi@studenti.unipd.it has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd performs this sql query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'uto.ughi@studenti.unipd.it' ORDER BY id and the radiusd -X output shows "[sql] User found in radcheck table" Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the one in radcheck), shows "[sql] User uto.ughi@studenti.unipd.it not found." Still, in both cases the user gets an AccessAccept packet. I can't see what I'm doing wrong, any help would be greaty appreciated! I enclose these files: - sites-enabled/eduroam-inner-tunnel - sites-enabled/eduroam - eap.conf Attached is the output of radiusd -X when uto.ughi@studenti.unipd.it is accessing with Calling-Station-Id 73-1C-5C-B4-E0-55, not present in radcheck. [eduroam-inner-tunnel file]: server eduroam-inner-tunnel { authorize { auth_log eap sql openldap mschap } authenticate { ntlm_auth Auth-Type MS-CHAP { mschap } eap } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } } [sites-enabled/eduroam file]: server eduroam { authorize { auth_log suffix eap { ok = return } } authenticate { ntlm_auth eap } preacct { suffix } accounting { } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } pre-proxy { pre_proxy_log if (Packet-Type != Accounting-Request) { attr_filter.pre-proxy } } post-proxy { post_proxy_log attr_filter.post-proxy } } [/etc/raddb/eap.conf]: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = klabssrlviasalgari17 private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } }