Wireless 802.1x with MAB as fallback and FreeRadius
Hello, I use EAP to authenticate wireless clients that support 802.1x. But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback? I saw a lot of articles teaching how to do this in ISE. Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x. I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius. It doesn't try 802.1x. Have anyone already use this? Here are some articles I found: https://community.cisco.com/t5/wireless/wireless-802-1x-with-mab-as-fallback... Wireless MAB and 802.1X https://community.cisco.com/t5/wireless/cisco-wireless-mab-and-802-1x/td-p/3...
Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback?
Instead of this we have the IoT devices use a different SSID that beacons as WPA-Personal, but can if we want put them on the same VLAN after authentication. Then we use some vendor-specific tags to give each IoT device its own PSK for WPA2-Personal in our registration database so we don't have a published shared secret out there to be abused. We use Aruba where they call that MPSK, Cisco's term for that is IPSK.
I saw a lot of articles teaching how to do this in ISE. Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x.
If there is not at least a WPA3 OWE setup or everyone has not already entered a PSK into IoT devices, then the traffic won't be encrypted and you'd essentially be running an Open SSID overlayed on your Enterprise SSID. People use d to do that for captured portal registration stuff ISTR. Otherwise, how the clients would even try to use a PSK on an SSID that is beaconing for WPA-Enterprise I don't know how you managed that... (maybe .11u/hotspot?) I don't imagine today's current production batch of IOT has universal support for WPA3, and in either case (OWE or everyone knows the PSK) you are opening yourself up to evil twin attacks without some way of the IOT device ensuring it is indeed talking to your equipment and not someone else's.
I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius. It doesn't try 802.1x.
I would not expect it to try EAP for a client that does not present EAP, it's more work for the controllers than needed. I would, however, expect the default FreeRADIUS config to figure out that it is not EAP and take the authentication through the control path for whatever method is presented. Set up radmin, run a debug on a client MAC of interest, and see what sections the control flows through. Then you'll see where you may need to activate modules to handle the auth or provide additional configuration to, e.g. if it says "no Auth-Type configured for PAP" you'd know you are missing PAP configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Like I said in the earlier email we need the IoT devices to connect in the same SSID, is this doable in freeradius or not? I have thought that if this is doable with ISE it could be doable with freeradius. I know this is doable in wired dot1x with mab, for devices that dont support dot1x the switch sends the mac fo freeradius and it allows the connection. Em quarta-feira, 16 de julho de 2025 às 16:17:11 BRT, Brian Julin <bjulin@clarku.edu> escreveu: Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback?
Instead of this we have the IoT devices use a different SSID that beacons as WPA-Personal, but can if we want put them on the same VLAN after authentication. Then we use some vendor-specific tags to give each IoT device its own PSK for WPA2-Personal in our registration database so we don't have a published shared secret out there to be abused. We use Aruba where they call that MPSK, Cisco's term for that is IPSK.
I saw a lot of articles teaching how to do this in ISE. Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x.
If there is not at least a WPA3 OWE setup or everyone has not already entered a PSK into IoT devices, then the traffic won't be encrypted and you'd essentially be running an Open SSID overlayed on your Enterprise SSID. People use d to do that for captured portal registration stuff ISTR. Otherwise, how the clients would even try to use a PSK on an SSID that is beaconing for WPA-Enterprise I don't know how you managed that... (maybe .11u/hotspot?) I don't imagine today's current production batch of IOT has universal support for WPA3, and in either case (OWE or everyone knows the PSK) you are opening yourself up to evil twin attacks without some way of the IOT device ensuring it is indeed talking to your equipment and not someone else's.
I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius. It doesn't try 802.1x.
I would not expect it to try EAP for a client that does not present EAP, it's more work for the controllers than needed. I would, however, expect the default FreeRADIUS config to figure out that it is not EAP and take the authentication through the control path for whatever method is presented. Set up radmin, run a debug on a client MAC of interest, and see what sections the control flows through. Then you'll see where you may need to activate modules to handle the auth or provide additional configuration to, e.g. if it says "no Auth-Type configured for PAP" you'd know you are missing PAP configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 17, 2025, at 8:01 AM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Like I said in the earlier email we need the IoT devices to connect in the same SSID, is this doable in freeradius or not?
As I said, not on WiFi.
I have thought that if this is doable with ISE it could be doable with freeradius.
If the underlying protocols support it, yes. Find an ISE page which says that it can do this for WiFi.
I know this is doable in wired dot1x with mab, for devices that dont support dot1x the switch sends the mac fo freeradius and it allows the connection.
As I said, it is doable in wired 802.1X. If you ask the same question multiple times, the answers won't change. Alan DeKok.
On Jul 16, 2025, at 12:37 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello, I use EAP to authenticate wireless clients that support 802.1x. But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback?
Pretty much, no. An SSID either does 802.1X, or is open / PSK. It can't do 802.1X and be open.
I saw a lot of articles teaching how to do this in ISE.
For wired. Not for WiFi.
Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x. I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius.
If only there was some kind of debug output you could read. Oh well. Alan DeKok.
For wired. Not for WiFi.
I think in these both articles they acomplished this in wifi. "If you have both, MAC Filter and 802.1x it will always send both requests to ISE. It will send the mac address first so you have a few options: 1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer) 2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer) 3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass. You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication." https://community.cisco.com/t5/wireless/cisco-wireless-mab-and-802-1x/td-p/3... https://community.cisco.com/t5/wireless/ise-2-1-802-1x-and-mac-filtering/td-...
Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x. I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius.
> If only there was some kind of debug output you could read. Oh well. Well, in the debug I can see exactly what I said, the MAC is rejected, but I don't know how to make it "continue" and try dont1x like in the articles I have cited.
On Jul 17, 2025, at 8:16 AM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I think in these both articles they acomplished this in wifi.
Those articles talk about it doing BOTH Mac auth and 802.1X. For WiFi, you can't use Mac auth to bypass 802.1X.
If only there was some kind of debug output you could read. Oh well.
Well, in the debug I can see exactly what I said, the MAC is rejected, but I don't know how to make it "continue" and try dont1x like in the articles I have cited.
Exactly. It's impossible to skip 802.1X for WiFi, and just do MAC auth. Alan DeKok.
> Those articles talk about it doing BOTH Mac auth and 802.1X. For WiFi, you can't use Mac auth to bypass 802.1X. What is it doing here then? It seems exaclty what I need. "If you have both, MAC Filter and 802.1x it will always send both requests to ISE. It will send the mac address first so you have a few options: 1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer) 2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer) 3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass. You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication."
On Jul 17, 2025, at 9:11 AM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What is it doing here then? It seems exaclty what I need.
"If you have both, MAC Filter and 802.1x it will always send both requests to ISE.
It will send the mac address first so you have a few options:
1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer)
I would be very surprised if that worked on WiFi. It might, but it would be very much not a standard way to do things.
2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer) 3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass.
You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication."
If the AP does this, great. The only problem, then, is configuring FreeRADIUS. There is documentation on configuring MAC auth, and on how to debug new configurations. So, just do that. Alan DeKok.
Em quinta-feira, 17 de julho de 2025 às 10:25:46 BRT, Alan DeKok <aland@deployingradius.com> escreveu:
I would be very surprised if that worked on WiFi. It might, but it would be very much not a standard way to do things.
Understood, so what would be the best practice to solve this? Use a separate SSID with IPSK? If yes, what configuration I need to to do in freeradius side for this to work?
On Jul 17, 2025, at 10:15 AM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Understood, so what would be the best practice to solve this? Use a separate SSID with IPSK?
See the AP documentation.
If yes, what configuration I need to to do in freeradius side for this to work?
There's already documentation on MAB and EAP. Follow that. Alan DeKok.
Em quinta-feira, 17 de julho de 2025 às 11:23:12 BRT, Alan DeKok <aland@deployingradius.com> escreveu:
See the AP documentation.
But whats the best practice in general? The wireless controller send the MAC as the user and the PSK as the password to freeradius?
There's already documentation on MAB and EAP. Follow that.
I have searched in here and didn't found mention for MAB https://www.freeradius.org/documentation/freeradius-server/3.2.8/ And in here, anything I put in the search returns me a 404. https://wiki.freeradius.org/
On Jul 17, 2025, at 10:48 AM, Rodrigo Antunes <rodrigoaantunes@yahoo.com.br> wrote:
But whats the best practice in general?
The wireless controller send the MAC as the user and the PSK as the password to freeradius?
I have no idea how your AP does MAC auth without 802.1X on an SSID which is configured for 802.1X. As I've said, go read the AP documentation. I don't run your APs. I am not your AP vendor. I can't answer this question. Is that finally clear?
There's already documentation on MAB and EAP. Follow that.
I have searched in here and didn't found mention for MAB
https://www.freeradius.org/documentation/freeradius-server/3.2.8/
And in here, anything I put in the search returns me a 404.
We turned off most of the Wiki due to spam and abuse. But a simple google search yields this page from the Wiki: https://wiki.freeradius.org/guide/Mac-Auth Alan DeKok.
Em quinta-feira, 17 de julho de 2025 às 12:59:28 BRT, Alan DeKok <aland@deployingradius.com> escreveu:
I have no idea how your AP does MAC auth without 802.1X on an SSID which is configured for 802.1X.
As I've said, go read the AP documentation. I don't run your APs. I am not your AP vendor. I can't answer this question.
Is that finally clear?
I think you misunderstood something in the way. In an earlier email I said I understood what you said that it is not possible to authenticate IoT devices that dont support 802.1x in a 802.1x SSID. There is no fallback like there is in wired. So I asked what is the best practice to properly solve the issue where I need to authenticate IoT devices. A separate SSID specificaly for them right? In this new SSID I could use macauth, but macauth only is insecure because mac can be spoofed. An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?
On Jul 17, 2025, at 12:56 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I think you misunderstood something in the way.
I understood only what you posted. if your comments are unclear, there isn't much I can do about that.
In an earlier email I said I understood what you said that it is not possible to authenticate IoT devices that dont support 802.1x in a 802.1x SSID. There is no fallback like there is in wired.
So I asked what is the best practice to properly solve the issue where I need to authenticate IoT devices.
The question wasn't that, but sure...
A separate SSID specificaly for them right? In this new SSID I could use macauth, but macauth only is insecure because mac can be spoofed.
A separate SSID would work. And yes, MAC auth doesn't add a lot of security, because it can be spoofed.
An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?
There's a DPSK module in FreeRADIUS. It has documentation, and is known to work with IPSK. Alan DeKok.
Em quinta-feira, 17 de julho de 2025 às 14:04:23 BRT, Alan DeKok <aland@deployingradius.com> escreveu:
There's a DPSK module in FreeRADIUS. It has documentation, and is known to work with IPSK.
I think I'm not very good in finding the documentation.. Could you send me the link for this?
Without reading all of this, here is some kind of tutorial/pointer to follow: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/ We just implemented iPSK with freeradius, which is working just fine. You may have to read the documents for your needed freeradius modules (like ldap or sql, whichever you want to do (we used sql)). Best regards On 17.07.25 18:56, Rodrigo Antunes via Freeradius-Users wrote:
An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?
Hello, I have managed to implement ipsk with freeradius following the link, but now I stumbled in another problem. I have around 300 IoT devices, its inviable to register each of them. Is there another way that don't depend on mac to solve this? Thanks. Em sexta-feira, 18 de julho de 2025 às 05:06:19 BRT, Dennis Tants <tants@uni-bremen.de> escreveu: Without reading all of this, here is some kind of tutorial/pointer to follow: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/ We just implemented iPSK with freeradius, which is working just fine. You may have to read the documents for your needed freeradius modules (like ldap or sql, whichever you want to do (we used sql)). Best regards On 17.07.25 18:56, Rodrigo Antunes via Freeradius-Users wrote:
An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I'm not aware of another method, other than MAC based. Well, 802.1X I assume. We provided our users a self-service portal to enter their MAC addresses. Regards On 22.07.25 18:46, Rodrigo Antunes via Freeradius-Users wrote:
Hello, I have managed to implement ipsk with freeradius following the link, but now I stumbled in another problem.
I have around 300 IoT devices, its inviable to register each of them.
Is there another way that don't depend on mac to solve this?
Thanks.
Em sexta-feira, 18 de julho de 2025 às 05:06:19 BRT, Dennis Tants <tants@uni-bremen.de> escreveu:
Without reading all of this, here is some kind of tutorial/pointer to follow: https://goodwi.fi/posts/2023/09/ipsk-no-ise-freeradius/
We just implemented iPSK with freeradius, which is working just fine. You may have to read the documents for your needed freeradius modules (like ldap or sql, whichever you want to do (we used sql)).
Best regards
An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?
On 17.07.25 18:56, Rodrigo Antunes via Freeradius-Users wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 22, 2025, at 6:46 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello, I have managed to implement ipsk with freeradius following the link, but now I stumbled in another problem.
I have around 300 IoT devices, its inviable to register each of them.
See the comments in mods-available/dpsk. You should cache the MACs and keys in a database. I will update the dpsk module and its sample configuration to make this clearer. The changes will be in 3.2.8.
Is there another way that don't depend on mac to solve this?
No. The MAC is the ONLY way to identify the clients. Alan DeKok.
participants (4)
-
Alan DeKok -
Brian Julin -
Dennis Tants -
Rodrigo Antunes