Hello, My experience with Freeradius is still in the beginning. My requirements in the first step are not very high. I want to configure Freeradius so that users can be authenticated via 802.1x or via MAC-Auth. I followed these instructions exactly: https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x Unfortunately, it does not work. I have created a username and password and also entered a Mac address in the file. But neither the user nor the Mac address work. I always get a reject, although it should work according to the instructions. I get the following answer when I run radtest: radtest andreas andreas123 127.0.0.1 1812 testing123 Sent Access-Request Id 123 from 0.0.0.0:51323 to 127.0.0.1:1812 length 77 User-Name = "andreas" User-Password = "andreas123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "andreas123" Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:51323 length 20 (0) -: Expected Access-Accept got Access-Reject Here are the individual files. I am very grateful for any help. /etc/freeradius/3.0/mods-available/files: files { moddir = ${modconfdir}/${.:instance} filename = ${moddir}/authorize acctusersfile = ${moddir}/accounting preproxy_usersfile = ${moddir}/pre-proxy } files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs } # The instructions also say here # compat = no # but if I leave this in, I get an error message and the server no longer starts. Why does this happen? /etc/freeradius/3.0/authorized_macs 00-11-22-33-44-55 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" /etc/freeradius/3.0/sites-available/default server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { preprocess # If cleaning up the Calling-Station-Id... rewrite_calling_station_id # If this is NOT 802.1x, assume mac-auth. We check this by testing # for the presence of the EAP-Message attribute in the request. if (!EAP-Message) { # Now check against the authorized_macs file authorized_macs if (!ok) { reject } else { # accept update control { Auth-Type := Accept } } } else { # Normal FreeRADIUS virtual server config goes here e.g. eap } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } } Thank you all for your help. Regards Andy