check user device mac address without doing mac-auth

Alan DeKok aland at
Wed Mar 22 14:46:31 UTC 2023

On Mar 22, 2023, at 10:40 AM, Eby Mani via Freeradius-Users <freeradius-users at> wrote:
> Is it possible to check mac address of user device when doing standard 802.1x authentication and allow access without doing mac-auth + 802.1x ?.


  You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.

  You cannot force authentication to succeed if the MAC is known, but 80-2.1X authentication fails.  It's impossible.

> The requirement is to restrict users from connecting from other devices(say BYOD) other than IT approved device allocated to user.

  That can be done:

	if (mac is not known) {

> When using mac-auth-802.1x, server have no way of knowing which device the user is mapped to and user can connect from any authorised device in the list.

  The devices MAC comes in the RADIUS packet.  So it is trivial to match a user to a particular device.

> Questions,
> 1, Is there a guide on how to achieve this with mysql integration ?.

 No.  You cannot force authentication to succeed.

> 2a, Is it recommended to add new columns to include mac-addr in radcheck table ?.


> 2b, If so, will freeradius automatically check new columns values and do access-accept/reject  automatically ?.

  Absolutely not.  You can't just add a column, and have FreeRADIUS magically know what the column means, and how to use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list