FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.

Alan DeKok aland at
Sat Feb 28 14:48:57 CET 2015

On Feb 25, 2015, at 7:39 PM, jan hugo prins <jhp at> wrote:
> But I also need to accommodate telephones and printers and they don't do
> EAP themselves. To work around this, the switches we use have an option
> to configure the switch in such a way that it creates a radius access
> request based on the MAC address of the client, it's own IP address and
> the port the client is connected to.

  That’s a stupid idea.  But I’m not surprised.  Vendors are often bad at RADIUS.

> This sounds like a simple setup, just add some users with plaintext
> passwords and start the authentication process. But the problem is that
> this fails, and it looks like the switch is sending 2 exactly the same
> authentication requests short after another, and the first one succeeds,
> but the second one fails.

  No.  The User-Names are different.  Reading the debug log carefully is important.

  Also, you should fix your LDAP infrastructure.  The server is getting redirected to 3-4 different LDAP servers.  That’s slow and inefficient.

> I also see this when I ping the host, I
> receive one reply and after that the port is closed again.
> Could someone tell me if I have something wrong in my config?

  You need to add the second User-Name to the users file.  The first one ends with “20”.  The second with “22”.

  Alan DeKok.

More information about the Freeradius-Users mailing list