Authorise based on Calling Station ID ?

Darren Ward (darrward) darrward at
Tue Mar 11 01:01:11 CET 2014

Hi Guys

One of the internal guys mentioned that the Cisco RADIUS product adds the mac address as an alternate username in the users database when it Authenticates a user (by grabbing the calling-station-id and inserting it as a alternate username)

Is there a way I could similar with FreeRADIUS as this is the preferred platform 


-----Original Message-----
From: Darren Ward (darrward) 
Sent: Tuesday, 11 March 2014 10:21 AM
To: FreeRadius users mailing list
Subject: RE: Authorise based on Calling Station ID ?

Apologies again!

The Wireless Controller (WLC) will send an Accounting Start to the FreeRADIUS with the username and calling-station-id after it successfully Authen's the user

Then traffic for that mac address will be seen by the Policy Manager and it will then go and request an authorize for that mac address from FreeRADIUS

So the authorise will be after the accounting start because they are separate NAS/Client as far as FreeRADIUS is concerned

The WLC access-request username is the username and the ISG username is seen as the mac-address

I'm wondering if there's any way to access the cache or accounting records to try and do the match up?


-----Original Message-----
From: at [ at] On Behalf Of Alan DeKok
Sent: Tuesday, 11 March 2014 8:49 AM
To: FreeRadius users mailing list
Subject: Re: Authorise based on Calling Station ID ?

Darren Ward (darrward) wrote:
> I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?

  If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.

> i.e. I would need to parse the accounting files for the mac address 
> and find the matching username then look up the username in the 
> 'users' file to authorise with the appropriate attributes

  That won't work.  Accounting happens AFTER authorization.  You'll need to find another solution.

  Run the server in debugging mode.  Odds are you'll see something useful in the Access-Request.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list