Wireless 802.1x with MAB as fallback and FreeRadius
Alan DeKok
aland at deployingradius.com
Wed Jul 16 19:25:29 UTC 2025
On Jul 16, 2025, at 12:37 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Hello, I use EAP to authenticate wireless clients that support 802.1x.
> But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback?
Pretty much, no. An SSID either does 802.1X, or is open / PSK. It can't do 802.1X and be open.
> I saw a lot of articles teaching how to do this in ISE.
For wired. Not for WiFi.
> Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x.
> I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius.
If only there was some kind of debug output you could read. Oh well.
Alan DeKok.
More information about the Freeradius-Users
mailing list