FreeRadius MAC address authorization (no authentication)

Ramot Lubis ramot.lubis at
Mon Aug 11 05:43:55 CEST 2008

I guess, Windows XP client has been able to communicate (EAP problem
has been fixed) according to the following log. However, the client
has not been authenticated because of username and password problem,
but its OK since my purpose is to authenticate based on client MAC
address rather than username/password.

My question is how can I configure FreeRadius to authenticate client
based on MAC address? Is there in possibility to use "unlang", if so
how can I use unlang to authenticate client MAC address.

thanks in advance.

++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: NT Domain delimeter found, should we have enabled
  rlm_mschap: Told to do MS-CHAPv2 for PIDEL-3C5B30E9C\Administrator
with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 52 to port 1027
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5e8a10c0598209f9d72120367b73e4be
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 1027, id=53, length=221
        User-Name = "PIDEL-3C5B30E9C\\Administrator"
        NAS-IP-Address =
        NAS-Port = 0
        Called-Station-Id = "00-1E-E5-9D-61-85:DEL_LR1"
        Calling-Station-Id = "00-21-00-0B-68-E3"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        State = 0x5e8a10c0598209f9d72120367b73e4be
        Message-Authenticator = 0xaa9d67c2641d1c6281c0b7e1dcff3aec
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "PIDEL-3C5B30E9C\Administrator",
looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> PIDEL-3C5B30E9C\Administrator
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 53 to port 1027
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 8.
Going to the next request

On Sun, Aug 10, 2008 at 2:20 PM, Alan DeKok <aland at> wrote:
> Ramot Lubis wrote:
>> 1. Creating production certificate as described in
>> 2. update hotfix as described in
>> 3. Install certificate ca.der into Windows client. Use the new
>> installed certificate in client when using PEAP from client.
>  For instructions on debugging the client side, see:
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list