Wireless 802.1x with MAB as fallback and FreeRadius
Rodrigo Antunes
rodrigoaantunes at yahoo.com.br
Thu Jul 17 13:11:09 UTC 2025
> Those articles talk about it doing BOTH Mac auth and 802.1X. For WiFi, you can't use Mac auth to bypass 802.1X.
What is it doing here then? It seems exaclty what I need.
"If you have both, MAC Filter and 802.1x it will always send both requests to ISE.
It will send the mac address first so you have a few options:
1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer)
2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer)
3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass.
You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication."
More information about the Freeradius-Users
mailing list