dot1x, MAB and EAP-TLS/PEAP with Freeradius

Matthew Newton mcn at
Thu Sep 8 13:15:05 UTC 2022

On 08/09/2022 11:08, Vieri Di Paola wrote:
> On Wed, Sep 7, 2022 at 3:42 PM Alan DeKok <aland at> wrote:
>>    Then, write "unlang" rules to match the MAB packets (but not the 802.1X packets!).  Something like:
> The only thing I found that could identify the packet as being MAB
> (well, Cisco's MAB implementation) is:
> Cisco-AVPair = "method=mab"
> It seems to always be in 3rd position, but I don't know if this is reliable.

You can enable "with_cisco_vsa_hack" in the preprocess module and add a 
new local attribute "method" in /etc/raddb/dictionary. Then the 
preprocess module will convert the fake Cisco AVpair attribute into a 
real one. Makes things easier.

Other usual checks for MAB are that there is no EAP-Message attribute, 
User-Name and User-Password are identical, and both are a MAC address 

> This seems to work fine for me:
> if ("%{request:Cisco-AVPair[2]}" == "method=mab" && !EAP-Message)  -> TRUE

Use the preprocess hack and you should then be able to do

   if (&method == "mab" && !EAP-Message) {

> I don't know if I should also check for the presence of
> "service-type=Call Check".

Doubt it, if you can work out what's going on from other attributes.

> So anyway, I can set the following condition in authorize and "accept"
> without filtering:
> if ("%{request:Cisco-AVPair[*]}" =~ /method=mab/ && !EAP-Message) {
>      accept
> }

You could look up the MAC address here and reject if it is not found, 
assuming you don't want to allow all MAB auths.

> In post-auth I will then add a condition to lookup the MAC addr. in
> local DB, eg:

Seems OK to me.


More information about the Freeradius-Users mailing list