how to setup MAC based authentication with LDAP

Brendan Kearney bpk678 at
Tue Apr 21 23:00:18 CEST 2015

On Fri, 2015-04-17 at 15:19 +0000, Stefan Paetow wrote:
> > I googled for radtest and Calling-Station-Id and found a Ubuntu man page
> > that had -g for it.  I know sometimes distros have different functions in
> Ahh, this one: 
> - This is provided by yardradius, not FreeRADIUS. 
> FreeRADIUS ships with a radtest utility of its own.
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at
> skype: stefan.paetow.janet
> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
> -
> List info/subscribe/unsubscribe? See

so, some success and some more confusion.

i have a virtual server
configured, /etc/raddb/sites-available/mac-auth-bypass.  when i link
that file into /etc/raddb/sites-enabled and run radiusd -X, i am able to
do some rudimentary Mac Auth Bypassing.  if the mac is in the directory,
the access is granted.  but i need clarification around a couple of

first, i am trying to have the directory reply with some items for VLAN
assignment.  the below attributes are set for the mac i am testing with:

radiusservicetype: Framed-User
radiustunnelmediumtype: IEEE-802
radiustunnelprivategroupid: 1
radiustunneltype: VLAN

i can only assume that because of the rudimentary state of my virtual
server, the items are not being acted upon or given out by the virtual
server.  a plain ldapsearch returns these items.  i assume there is a
piece i am missing, to have this done.  where do i find more about what
piece i am missing?

second, when the virtual server is enabled, the authentication that i do
to log into a switch does not work.  if i disable the virtual server the
auth works again.  how do i setup things so that both user auth and mac
auth bypass work at the same time?

mac-auth-bypass virtual server:

server mac-auth-bypass {

listen {
	ipaddr = *
	port = 0
	type = auth

listen {
	ipaddr = *
	port = 0
	type = acct

authorize {
	if (EAP-Message) {
		#use colons (:), not dashes(-), for ldap lookups
		if ("%{ldap:ldap:///ou=DHCP\ SubClasses,cn=DHCP\
%{Calling-Station-Id}))}") {
			# in the future, assign to VLAN_Y
			update control {
				Auth-Type := Accept
		else {
			# in the future, assign to VLAN_Z
			update control {
				Auth-Type := Reject
	else {
		# in the future, 802.1x stuff
		update control {
			control:Auth-Type := ldap
			#Auth-Type := Reject

authenticate {
	Auth-Type ldap {


my switch (cisco sg500) will identify that a client does not support .1x
and will provide the mac address as the username and password in an EAP
message.  because it is an EAP message, i can leverage the
Calling-Station-Id attribute, and distinguish user auth vs. mac auth
bypass with the "if (EAP-Message)" statement.

i assume the mods-available/ldap file is not appropriate for this logic,
as i tried to add an authorize section to it and i got an error saying
that was not an appropriate place for an "if" statement.

ultimately, i am looking to have user auth, mac auth bypass and full .1x
work side-by-side-by-side, and this is an interim step.  i am not sure
how to get user auth and mac auth bypass working at the same time, when
both are intended to use ldap for lookups.

any pointers are appreciated.


More information about the Freeradius-Users mailing list