Hi, I am using FreeRadius v2.2.0 on CentOS 6.4 x86_64. I am trying to adapt Plain Mac-Auth as described at: http://wiki.freeradius.org/guide/Mac-Auth to work work from LDAP. (Note: The server is also used for eduroam and is going to be used for 802.1x too.) My setup follows below. The questions: -------------- 1. Should I also define the value: # access_attr ...for correct results? 2. Can I test this using radtest (since I am not using user/password for this query)? 3. Any other suggestions? -------------- The setup: ldap ldap_macauth { server = "localhost" identity = "uid=binduser,ou=System,dc=example,dc=com" password = "bindpasswd" basedn = "ou=Nodes,dc=example,dc=com" filter = "(macAddress=%{Calling-Station-Id})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 2 timeout = 4 timelimit = 3 net_timeout = 1 } and I have a test entry: dn: cn=hostABC,ou=Nodes,dc=example,dc=com cn: hostABC macAddress: 00:24:8b:3c:d1:db objectClass: device objectClass: ieee802Device objectClass: top ou: tech owner: uid=johndoe,ou=people,dc=example,dc=com l: Main Site I have preferred to set: rewrite_calling_station_id { if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}" } } else { noop } } and in sites-enabled/default: authorize { preprocess chap mschap digest suffix eap { ok = return } files ldap_macauth if (!ok) { reject } else { # accept update control { Auth-Type := Accept } } expiration logintime pap } Thanks and regards, Nick