how to setup MAC based authentication with LDAP

brendan kearney bpk678 at
Wed Apr 22 03:40:51 CEST 2015

Because I authenticate my users against kerberos, not ldap.  A principal
and an ldap object all for MAB seems excessive to me.

I also see that as an unnecessary duplication of data in the directory.  I
have the mac addresses as past of a couple of object classes and dont need
more than one "copy" of the data.
On Apr 21, 2015 9:23 PM, "Ben Humpert" <ben at> wrote:

> 2015-04-21 23:00 GMT+02:00 Brendan Kearney <bpk678 at>:
> > my switch (cisco sg500) will identify that a client does not support .1x
> > and will provide the mac address as the username and password in an EAP
> > message.  because it is an EAP message, i can leverage the
> > Calling-Station-Id attribute, and distinguish user auth vs. mac auth
> > bypass with the "if (EAP-Message)" statement.
> So the only difference between a user/pass access-request package and
> one for mac bypass is just that the mac bypass contains the mac
> address as the username and password? If so, why don't you add a
> "user" for these mac addresses into your ldap just like you did with
> real users?
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list