EAP authentication and DHCP

Hernán Freschi hjf at hjf.com.ar
Sun Sep 27 08:00:53 CEST 2015

OK, It's 3 AM but I've found a way to store the inner auth id
(username) and the outer request's MAC:

post-auth {
        if (!request:Calling-Station-Id ) {
                update request {
                        Calling-Station-Id =

What this does is: if Calling-Station-Id is missing (at least with my
NAS it is), then copy it from the outer request. Then log to SQL

This also avoids logging anonymous requests (otherwise for each auth
request two records are generated).

Now I would like to know if this looks like it will work.


On Sun, Sep 27, 2015 at 2:15 AM, Hernán Freschi <hjf at hjf.com.ar> wrote:
> I would like to authenticate WiFi users with EAP and assign an IP address
> based on their username.
> I realize this is a two step process: first, the user must be authenticated
> with EAP. Once this is done, the user will request an IP address via DHCP.
> But there is no connection between the EAP username, and the client's MAC
> address which EAP uses.
> With EAP, the MAC address is the Calling-Station-ID for the Anonymous
> identity. The tunneled identity has no ID.
> Is it possible to use the post-auth section to log both username and MAC, so
> the DHCP module can look up the username from MAC address, and assign the
> address from the right pool? By default the post-auth module writes two
> records to the radpostauth table: one, from the anonymous identity with the
> Calling-Station-ID set to the MAC address, and another, for the tunneled
> identity, with an empty calling ID.
> Thanks,
> Hernan

More information about the Freeradius-Users mailing list