Dynamic Vlan with 802.1x and mac adress

Brian Julin BJulin at clarku.edu
Tue Mar 20 18:44:28 CET 2018

Yaƫl Rozanes <irozanes387 at hotmail.fr>:

> I think I understand what you recommend, for now I authenticate my supplicant with an id/mdp couple ( that I get on a Ldap server) in EAP-TTLS but I would have liked to do the same with only the mac address using for example a MySQL database

Ah, this is different than what I understood.  If you are using EAP-TTLS to do this your supplicant will still have to do some sort of inner authentication.  For example, you could use a hard-coded Clear-Text-Password on the FreeRADIUS side for all hosts and set your supplicants all to use that password, and then use the Calling-Station-Id for authentication and authorization decisions.  This is fairly weak from a security standpoint, but doable.  Normal practice is to use a real password and use the Calling-Station-Id only for authorization purposes.

> If I understand correctly, you advise me to use another field of my ldap which would contain my @mac and to link it to the attribute "Calling-Station-Id"?

Should work, but you may have to write unlang statements to do what you want with the attribute.  You would not necessarily want to map the LDAP attribute to Calling-Station-Id... that attribute should already be there in the request, provided by the NAS.  Just grab the MAC from LDAP into any old attribute and compare them in unlang.

More information about the Freeradius-Users mailing list