Wireless 802.1x with MAB as fallback and FreeRadius
Alan DeKok
aland at deployingradius.com
Thu Jul 17 13:25:32 UTC 2025
On Jul 17, 2025, at 9:11 AM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> What is it doing here then? It seems exaclty what I need.
>
> "If you have both, MAC Filter and 802.1x it will always send both requests to ISE.
>
> It will send the mac address first so you have a few options:
>
> 1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer)
I would be very surprised if that worked on WiFi. It might, but it would be very much not a standard way to do things.
> 2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer)
> 3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass.
>
> You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication."
If the AP does this, great.
The only problem, then, is configuring FreeRADIUS. There is documentation on configuring MAC auth, and on how to debug new configurations. So, just do that.
Alan DeKok.
More information about the Freeradius-Users
mailing list