Wildcards in Username and Passwd

Dennis Skinner dskinner at bluefrog.com
Wed May 10 22:53:44 CEST 2006

Jason Montgomery wrote:
> Hello I have a customer who would like to have 100% MAC address lock
> down on their network.   To do that we are able to have the Ethernet
> Switches Send the Device MAC address as the Username and password to the
> Radius Server.   The question I have is on the radius server is it
> possible to set a wildcard so that any device showing “00-E0-BB” as the
> MAC Address prefix will automatically be accepted then I can throw the
> usual variables back at the port.  If this is possible then I can avoid
> having to enter 300 Devices into the Radius table.

This may give you some ideas:


But, I should warn you, that anyone wanting to break into your
customers' network can sneeze and have a machine fake a MAC address.
Hell, some Cisco equipment even have a builtin command to do it (handy
for replacing/upgrading routers without messing up local ARP tables).
Hopefully there is some other form of authentication.

Dennis Skinner
Systems Administrator
BlueFrog Internet

More information about the Freeradius-Users mailing list