check user device mac address without doing mac-auth

Alan DeKok aland at
Sat Mar 25 16:42:20 UTC 2023

On Mar 25, 2023, at 8:03 AM, Eby Mani via Freeradius-Users <freeradius-users at> wrote:
> I have installed freeradius without sql integration for testing.
> 1, changed # Instead of "use_tunneled_reply", value to "if (1) {.
> 2, users file have following entry on top.
> testing Password := "password", Calling-Station-Id := "0cf346e648f3

  I'm pretty sure that won't do what you want,  I suggest reading the documentation to see how the operators work in the "users" file.

> Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject. 

  The debug log will show whu.

> I'm not sure if this happen due to any stale sessions,

  Authentication has nothing to do with stale sessions.

  What you want is s policy which says:

	if user is X and MAC is not Y

  So... write that in "unlang".  What you wrote in the "users" file doesn't do that, and doesn't follow the documentation for the "users" file.

  Alan DeKok.

More information about the Freeradius-Users mailing list