Authorize with SQL and not authenticate

Tom Yard tomyyard at
Wed Jul 4 18:22:05 CEST 2018

Dear Alan, thanks for your response.

Now I have NTLM _AUTH with MSCHAP in Freeradius, and I can see I have
enabled PAP autheentication and authorization too (in default and
inner-tunnel files).

Please can you tell me where I have to force PAP from the user side in ordr
to just authorize the hosts? Users are logged into a host and after that
the switch sends the MAC Address' host to the Freeradius server.

Thanks again!!!

2018-07-04 12:47 GMT-03:00 Alan DeKok <aland at>:

> On Jul 4, 2018, at 11:45 AM, Tom Yard <tomyyard at> wrote:
> >
> > I've just have a default file with a LDAP + SQL queries for user
> > authorization, and NTLM for user authentication.
> >
> > Also I want to just authorize hosts sending its MAC Addresses as its
> > usernames according to a SQL query matching a Mac Address table, but I
> > don't want to authenticate them because the Active Directory doesn't
> > contain MAC Addresses as usernames.
>   Sure.  But only if the user is doing PAP.  It won't work for MS-CHAP,
> because each end authenticates the other.  And both ends need the password.
> > Is it possible just authorize with Freeradius and so let hosts to access
> > the LAN network ?
>   Yes.
>   The question then is, what do MAC auth packets look like?
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> list/users.html

More information about the Freeradius-Users mailing list