how to setup MAC based authentication with LDAP

Alan DeKok aland at
Wed Apr 15 15:48:56 CEST 2015

On Apr 15, 2015, at 8:12 AM, Thomas Stather <Thomas.Stather at> wrote:
> I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients.

  There's a guide on the Wiki, but your setup is a bit different.

> Here is what i have so far:
> -freeradius 3.0.3
> -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices)
> Now i'm unsure how to configure the mods-enabled/ldap configuration.
> All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice).

  Figure out which LDAP query will return that macAddress.  Try it with ldapsearch and sample MAC address.  e.g. 00:01:02:03:04:05.

> My virtual server in sites-enabled/macauth looks like this:
>    # now authenticate against LDAP
>    ldap

  You don't want to do that.  The normal LDAP processing is for *users* in LDAP.  I don't think each host has a password and other user attributes in it.  So don't use "ldap".

  Instead, do:

	if (!"%{ldap:QUERY}") {
	update control {
		Auth-Type := Accept

  where QUERY is the LDAP query used to find the mac address.  Use %{Calling-Station-Id} instead of the MAC address from the "ldapsearch" above.

  The only issue here is that this configuration will do ONLY mac auth.  All other authentication methods will fail.  If that's what you want, fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list