Hi there, I hope you don't mind if I ask something at first not directly related to freeradius. In fact, we have some of those Cisco SG series small-business switches on which we wanted to implement plain MAC address-based authentication just like with other Cisco IOS gear (Mac Auth Bypass) and also gear from other vendors like Extreme. Now, those Cisco SG devices are also capable of doing dynamic vlan assignment BUT they don't accept any VLAN in return unless a full EAP conversation has taken place, even when only in MAC-auth mode, not in 802.1x. The other gear has no problem accepting a Tunnel-Private-Group-ID attribute in plain mode. Is that something you would say they (Cisco) have to liberty to implement as they wish and I don't understand things clearly, or is it that they didn't understand things clearly when implementing a MAC-based authentication using 802.1x nevertheless. In fact the interesting part of their manual says this: --start quote-- MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access. In this case, the switch supports EAP MD5 functionality with the username and password equal to the client MAC address --end quote-- It's mainly that last sentence that I'm wondering about. In any case this is going to make my life more difficult, as I will have to treat those SG devices differently from all the other gear we have... Thanks for your opinion. Bye, Marki