On Mon, Jan 5, 2015 at 2:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 5, 2015, at 9:23 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
> It would be helpful to have a reference as to why unadorned EAP messages, without a Service-Type, are harmful. Anyone know of one?

  Nope.  There is a “Service-Type = IEEE-802.1X”.  That should be used for 802.1X.  But not many vendors use it that I’ve seen.

  Perhaps a better solution would be to have a Service-Type dedicated to MAC authentication.  Then it wouldn’t matter what authentication method was being used.  Sadly, it’s too late for that.

Indeed, most vendors will just use a Service-Type of Framed.

For MAC auth, assuming it is not being used for something else by a NAS, advice that Call-Check is the most appropriate Service-Type to use as the Calling-Station-Id contains the client MAC address may be helpful.

Nick