Mac Auth against LDAP

Nikolaos Milas nmilas at
Fri Aug 23 18:04:00 CEST 2013

On 14/8/2013 2:39 μμ, Arran Cudbard-Bell wrote:

>> and in sites-enabled/default:
>> authorize {
>>         preprocess
>>         chap
>>         mschap
>>         digest
>>         suffix
> Do you need all these? Are you ever going to be doing chap/mschap/digest in the outer server?

First, thanks for the reply.

Second, sorry for the late answer but I only now managed to fully test 
the setup.

As for the above methods, they were remnants from the default config, so 
I just let them there (I am a newbie with FreeRadius).

The config now is:

    server macauth {

    authorize {


    if (!ok) {
    else {
    # accept
    update control {
    Auth-Type := Accept

    authenticate {

    Auth-Type LDAP_MACAUTH {

    preacct {

    accounting {

    session {

    post-auth {

    pre-proxy {

    post-proxy {

Tests went fine and I am able to run MAC-Auth successfully on a Cisco 
2960 over FreeRadius with LDAP backend! Thanks FreeRadius people!

I have 3 main virtual servers now: Default, eduroam (with an 
eduroam-inner-tunnel) and macauth, working fine in parallel.

I would like to ask some customization-oriented questions (for MAC-Auth):

 1. Can we somehow limit a host to connect to only a particular port/NAS
    device based on data stored in LDAP attributes (or, respectively, in
    flat files) and reject it otherwise?
 2. Can we assign the client to a particular VLAN based on data stored
    in LDAP attributes (or, respectively, in flat files)?
 3. Can we configure in FreeRadius an auto email to an administrator
    when there is a MAC-auth failure with the associated info (time, MAC
    Address, NAS device, port)?

If the answer to any of the above is yes, any pointers to related docs 
showing how to configure things (FreeRadius, Cisco Switches) would be 

Please advise.


More information about the Freeradius-Users mailing list