Mac based auth

Alan DeKok aland at
Mon Nov 27 04:59:59 CET 2006

jonr at wrote:
> I want to use mac address based authentication with WPA+PEAP. I have finally
> figured out how to get my Wireless laptop to connect and get a DHCP address
> through freeradius using the certificates created with openssl using the CA.all
> script.

  Almost.  FreeRADIUS doesn't do DHCP.

> How do I validate a user by mac address so that the users mac would be their
> username?
> What is the format of the MAC in the 'users' file? I have seen it as
> 01020304-0a020304 or something similiar, is that correct?

  The format is whatever format the NAS sends in the User-Name attribute.

> Does anybody have a good suggestion on how to get the root.der cert to the
> client if they can't connect to the AP until they get authenticated, and they
> can't get authenticated until they have the cert.

  The customer walks the machine into your office.  :)

  The alternative is to have a different SSID on the access point, that
doesn't require authentication.  Have it allow anyone on it's network (a
private IP range), and have no routes to the external world.  Then, set
up a web page there that allows them to download the certificate.

> And finally, is there some sort of session management so that only one matching
> mac can be on at one time?


> Sorry if these are lame questions but I am completely lost at this and am
> reaching out for help.

  The questions are basic, but you've given enough detail of what you
see and what you want to do that it's easy to respond.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list