Hi, I'm setting up wired 802.1x authentication for Juniper and Ubiquiti switches. Each device supports supplicant-based authentication and can fall back to MAC-based authentication. When using the Juniper, if it falls back to MAC-based authentication it sends an Access-Request with User-Name and User-Password attributes that both contain the MAC address of the device connecting to the switch, such as "e6e849A201e8". However, when the Ubiquiti falls back to MAC-based auth the Access-Request it sends only contains the User-Name attribute. Since my sites-enabled/default file contains: if (User-Password) { update control { Auth-Type := rest } } in the authorize section, REST authentication is completely skipped. I then tried adding: if (&NAS-Port-Type == "Ethernet" && !User-Password) { update control { User-Password = &User-Name Auth-Type := rest } } right on top of the previous section, but then I get this: (1) if (&NAS-Port-Type == "Ethernet" && !User-Password) { (1) if (&NAS-Port-Type == "Ethernet" && !User-Password) -> TRUE (1) if (&NAS-Port-Type == "Ethernet" && !User-Password) { (1) update control { (1) User-Password = &User-Name -> 'E6E849A201E8' (1) Auth-Type := rest (1) } # update control = noop (1) } # if (&NAS-Port-Type == "Ethernet" && !User-Password) = noop (1) if (User-Password) { (1) if (User-Password) -> FALSE (1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (1) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (1) pap: WARNING: !!! configuration so that the "known good" clear text !!! (1) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (1) pap: WARNING: !!! User-Password. !!! (1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = rest (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute! (1) [rest] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject So I changed it to this: if (&NAS-Port-Type == "Ethernet" && !User-Password) { update control { Cleartext-Password = &User-Name Auth-Type := rest } } (2) if (&NAS-Port-Type == "Ethernet" && !User-Password) { (2) if (&NAS-Port-Type == "Ethernet" && !User-Password) -> TRUE (2) if (&NAS-Port-Type == "Ethernet" && !User-Password) { (2) update control { (2) Cleartext-Password = &User-Name -> 'E6E849A201E8' (2) Auth-Type := rest (2) } # update control = noop (2) } # if (&NAS-Port-Type == "Ethernet" && !User-Password) = noop (2) if (User-Password) { (2) if (User-Password) -> FALSE (2) pap: WARNING: Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = rest (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute! (2) [rest] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject Am I approaching the problem in a wrong way? What would be the best way to deal with the lack of the User-Password attribute? Thanks, -Martin