Because I authenticate my users against kerberos, not ldap. A principal and an ldap object all for MAB seems excessive to me. I also see that as an unnecessary duplication of data in the directory. I have the mac addresses as past of a couple of object classes and dont need more than one "copy" of the data. On Apr 21, 2015 9:23 PM, "Ben Humpert" <ben@an3k.de> wrote:
2015-04-21 23:00 GMT+02:00 Brendan Kearney <bpk678@gmail.com>:
my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message. because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement.
So the only difference between a user/pass access-request package and one for mac bypass is just that the mac bypass contains the mac address as the username and password? If so, why don't you add a "user" for these mac addresses into your ldap just like you did with real users? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html