how to setup MAC based authentication with LDAP

Alan DeKok aland at
Thu Apr 16 18:13:16 CEST 2015

On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather at> wrote:
> I tried to set it up but i failed

  Following directions helps.  Reading the debug output helps.

> if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {

  Is that a valid LDAP query?  Probably not.

> radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)

  Which doesn't send a Calling-Station-Id attribute.

> Ready to process requests
> (0) Received Access-Request Id 126 from to length 103
> (0) User-Name = 'f0-1f-af-35-c8-10'
> (0) User-Password = 'f0-1f-af-35-c8-10'
> (0) NAS-IP-Address =
> (0) NAS-Port = 10
> (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth

   And there's no Calling-Station-Id in the packet.  How do you expect to use policies based on Calling-Station-Id when it's not in the packet?

  See "man radclient".  Or even read the "radtest" script.  It's a shell script.  You need to *explicitly* add a Calling-Station-Id attribute to the packet.

	Calling-Station-Id = f0-1f-af-35-c8-10

  Read the debug output for packets sent by the NAS.  Use them as a template, and create files which radclient will read.  You will then be sure that your tests match the packets sent by the NAS.

> What have i done wrong? 

  I had given detailed instructions in my previous message.  Following them would be a good idea.

> And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?

  You should write an LDAP query that uses "ou=hosts".

  I told you to write an LDAP query, and test it via "ldapsearch".   You seem to have skipped that step.   Why?

  Alan DeKok.

More information about the Freeradius-Users mailing list