MAc-Auth with EAP

Tunde Ogedengbe tunde at
Fri Feb 8 13:52:28 CET 2013

I am setting up our Freeradius to do authentication for MAC address for
windows PC.  This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen.   The PC is already
connected to a Cisco switch port which has been configured 802.1x.

I have stored list of authorized MAC addresses in a file called
authorized_macs in Freeradius confdir.   I have also set up appropriate
commands in Authorize and Authentication sections of sites-enabled/default
file for authorization and authentication.  I can see from the log that the
MAC addresses is checked and OK.  But there is an [eap] returns reject just
after the mac address was successfully checked.  I guess I need a way to
get radius to force an EAP accept after successful checking of the MAC

Below is my Auth-Type statement which gets the system to do MAC address
checking for PCs connecting with the hint “thehive”.  The else statement is
to cause all other requests to requests to be processed normally using
mschap_ad (which is a function that calls ntlm_auth).

Auth-Type MS-CHAP {

               if ( Hint == "validmac") {


                        update control {

                                    Auth-Type := Accept



                else {




Below is the extract of the log highlighting  successful mac address
checking but still returned [eap] returns reject

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] # Executing group from file

[mschapv2] +- entering group MS-CHAP {...}

[mschapv2] ++? if (outer.Hint == "validmac")

[mschapv2] ? Evaluating (outer.Hint == "validmac") -> TRUE

[mschapv2] ++? if (outer.Hint == "validmac") -> TRUE

[mschapv2] ++- entering if (outer.Hint == "validmac") {...}

[authorized_macs]       expand: %{Calling-Station-ID} -> 00-1a-a0-b8-3b-73

+++[authorized_macs] returns noop

++- if (outer.Hint == "thehive") returns noop

++ ... skipping else for request 14: Preceding "if" was taken

[eap] Freeing handler

++[eap] returns reject

Failed to authenticate the user.

Login incorrect: [host/] (from client port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)

} # server inner-tunnel

[peap] Got tunneled reply code 3

        EAP-Message = 0x04080004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Got tunneled reply RADIUS code 3

        EAP-Message = 0x04080004

        Message-Authenticator = 0x00000000000000000000000000000000

[peap] Tunneled authentication was rejected.

'Tunde Ogedengbe

"But thanks be to God, who gives me the VICTORY through my Lord Jesus
CHRIST" - 1 Corinthians 15:57
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list