Plain Mac-Auth - server accepts but client does not connect

Adam Bishop Adam.Bishop at
Tue Jan 12 22:56:20 CET 2016

On 12 Jan 2016, at 21:29, Munroe Sollog <mus3 at> wrote:
> That means that FreeRadius can't be used at all to allow devices that don't support EAP (smart
> TVs, wireless sensors, etc) to join any SSID?  Is the wiki wrong or am I missing the clarification
> in the documentation?

There are no such devices. Wireless 802.1x *requires* the supplicant to support EAP. If a wireless client claims to support wireless dot1x but not EAP, then it's some invented proprietary supplicant and you'll need to ask the vendor what tricks need to be done to make it work.

If you read the manual for your Aruba gear fully, you'll see that MAC auth runs alongside dot1x for wireless clients, not instead of. Your options are:

 * require MAC auth AND dot1x
 * require dot1x only
 * require dot1x with optional MAC auth (l2 fallthrough)

MAC only is only supported by wired ports.

> TL;DR, the NAS generates an EAP-MD5 packet with the MAC address as the username and password.

That is how *wired* MAC auth works. The device in the thread is a Cisco ethernet switch.


Adam Bishop

  gpg: 0x6609D460 | Networkshop 44: Save the date!
           | 22-24 March 2016 @ University of Manchester

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

More information about the Freeradius-Users mailing list