Wireless 802.1x with MAB as fallback and FreeRadius

[Alan DeKok]

On Jul 17, 2025, at 12:56 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I think you misunderstood something in the way. 

  I understood only what you posted.  if your comments are unclear, there isn't much I can do about that.

> In an earlier email I said I understood what you said that it is not possible to authenticate IoT devices that dont support 802.1x in a 802.1x SSID. There is no fallback like there is in wired.
> 
> So I asked what is the best practice to properly solve the issue where I need to authenticate IoT devices.

  The question wasn't that, but sure...

> A separate SSID specificaly for them right? In this new SSID I could use macauth, but macauth only is insecure because mac can be spoofed.

  A separate SSID would work.  And yes, MAC auth doesn't add a lot of security, because it can be spoofed.

> An earlier user said something about Cisco IPSK, does someone have an idea how I can configure this in the virtual cisco wireless controller together with freeradius?

  There's a DPSK module in FreeRADIUS.  It has documentation, and is known to work with IPSK.

  Alan DeKok.