Sure. What you're looking for then, is more this:
authorize { ... eap ... }
authenticate { ... eap ... }
post-auth { ... if (MAC_LIMITED-SSID && EAP-CERT-01) { look up MAC if !known MAC reject if blocked MAC reject } ... }
Which is pretty simple. That assumes that both client certs are issued by the same CA. Yes, the CA is under my control, (self signed) so no expected challenge there. Alan DeKok.
That said, how does the pseudo code get translated into unlang? I think I understand a partial of %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward? Thanks, Ted.