[EXTERNAL] Mac authentication

Brian Julin BJulin at clarku.edu
Thu Feb 28 17:46:47 CET 2019

Luc Paulin <paulinster at gmail.com> wrote:

> Most likely there's somehing I miss, but would that be something possible
> to assign vlan  199 to mac address ABCDEF  and vlan 201 to mac address

Most NAS equipment these days will obey the standard attributes.  You need
to do an update on the reply packet to add them in a post-auth section.
Since you are running dot1x as well you will have to do a:

&Post-Auth-Type = MAB

...or something like that in the authorize section when you detect a mac-auth,
Then in post-auth only those hosts will execute statements in a corresponding
Post-Auth-Type subsection.  (There might already be sensible values left in
Post-Auth-Type by the default configuration and built-in module behavior.)

Post-Auth-Type MAB {
    update reply {
        Tunnel-Type := "VLAN", 
         Tunnel-Medium-Type := "IEEE-802", 
        Tunnel-Private-Group-id := "1001" 

...some NAS hardware will take locally defined VLAN names in Tunnel-Private-Group-Id ,
others will only take numbers, some with take either.  The first two attributes should
be left as is and are required by many NAS systems (per the standard.)

NAS units will send the MAC address in an astounding variety of different formats.  Some
let you control the format with local settings, others may not be so flexible.  Normalize it by
defining some policies similar to this (look in the default configuration there may be some

policy {
   # this will match almost all formats I have seen without being overly liberal (if used with /i flag)
   mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'

   csid_into_control {
    if ("%{%{Calling-Station-Id}:-%{User-Name}}" =~ /^${policy.mac-addr-regexp}$/i) {
      update control {
        &Calling-Station-Id := "%{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"

This normalizes the mac address into uppercase 5-colons form and puts that in
the (unused) Calling-Station-Id attribute in the control attribute list, leaving the
Calling-Station-Id in the request/reply attribute lists untouched.

...then in the above post-auth section, invoke that policy and compare the
MAC address OUI to values you care about and add the VLAN attributes if
it matches.

if (&control:Calling-Station-Id =~ /^(AB:CD:EF|DE:AD:BE:EF)/) {
   update reply {
      # as above.

...you can also get fancier and retrive OUIs from a database or something
but that's the basics.

More information about the Freeradius-Users mailing list