TSW202 – 802.1X MAC-Based RADIUS Authentication Fails (No Auth-Type)

Networking Solutions
1

Hi all,

I am testing 802.1X (MAC-based authentication) on a TSW202 running firmware:

TSW2_R_00.01.08.1

Setup

  • 802.1X enabled on port (Role: Server)

  • Dynamic VLANs enabled

  • Accept VLAN: RADIUS assigned

  • External RADIUS server (FreeRADIUS)

  • Authentication port: 1812

  • Shared secret configured and verified

The RADIUS server is reachable and correctly configured.

Behaviour Observed

  • Test connectivity → Successful

  • Test user credentials → Successful

  • Auth: (2) Login OK: [MAC Address/MAC Address] (from client TeltonikaTSW202 port 0)

  • Live 802.1X authentication on port → Fails

  • Port status shows: Unauthorized

On the RADIUS server side, the log shows:

  • Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)

Technical Observation

During live authentication, the switch sends:

  • User-Name = MAC Address

Because no authentication method is included in the Access-Request, the RADIUS server cannot determine Auth-Type and rejects the request.

For comparison, a Cisco switch using MAC authentication sends both:

  • User-Name = MAC Address
  • User-Password = MAC Address

This works immediately with the same RADIUS server.

Questions

  1. Is this expected behaviour for MAC-based authentication on the TSW202?

  2. Is there an option to send the MAC address as both User-Name and User-Password?

Any clarification on the expected RADIUS behaviour for MAC-based authentication on this firmware would be appreciated.

Thank you.

3

Greetings, @JamesJamJar ,

Thank you for reaching out,

Thanks for the details so far. To diagnose the MAC‑based RADIUS authentication behaviour you’re seeing on the TSW202, please provide the following information that isn’t yet included:

  1. RADIUS/The Server Side
  • RADIUS server software/version (e.g., FreeRADIUS build).
  • Expected format for MAC credentials (e.g., User‑Name only, MAC as password).
  • Server debug logs showing the Access‑Request received and server interpretation.
  1. Switch 802.1X/RADIUS Config
  • Full 802.1X/MAC authentication settings per port (screenshots/text export).
  • Authentication order/mode, VLAN assignments, and any fallback.

This information will allow me to investigate further,

I look forward to your reply,

Best regards,
V.

4

Greetings V.,

Thank you for your response.

Please find the requested details below.

──────────────────────────────
RADIUS / Server Side
──────────────────────────────

RADIUS Server Software:

  • os-freeradius 1.10.1 OPNsense

User entry exists on the RADIUS server with:

  • Cleartext-Password =

  • VLAN assignment returned via RADIUS

Relevant Server Debug Output:

Successful Test (Teltonika “Test user credentials”):

  • Access-Request contains:

    • User-Name = MAC Address

    • User-Password = MAC Address

  • Result:
    Login OK: [MAC Address /MAC Address ]

Failed Live 802.1X Authentication:

  • Access-Request contains:

    • User-Name = MAC Address

  • Result:
    Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject)

This indicates that during live authentication the switch sends only an identity (MAC) without an authentication method.

──────────────────────────────
Switch 802.1X / RADIUS Configuration
──────────────────────────────

Device:

  • TSW202

  • Firmware: TSW2_R_00.01.08.1

802.1X Configuration (Affected Ports):

  • 802.1X Enabled

  • Role: Server

  • Dynamic VLANs: Enabled

  • Accept VLAN: RADIUS assigned

  • Guest VLAN: Disabled

  • Fallback VLAN: Disabled

  • Reject VLAN: Disabled

RADIUS Configuration:

  • Authentication port: 1812

  • Shared secret configured and verified

  • Test connectivity: Successful

  • Test user credentials: Successful

Authentication Mode:

  • MAC-based authentication via 802.1X port control

  • No fallback or secondary authentication configured

──────────────────────────────

The key difference observed is that the “Test user credentials” function sends both User-Name and User-Password, whereas live 802.1X authentication appears to send only User-Name.

Thanks

James

5

You’ll see the 3 tests bellow 2 are 802.1x port aut failing then the test function accepts

Screenshot 2026-02-18 155449
Screenshot 2026-02-18 1554491398×282 25 KB

Screenshot 2026-02-18 154855
Screenshot 2026-02-18 1548551170×499 19.2 KB

6

Greetings,

I have analyzed the MAC-based 802.1X authentication issue on the TSW202 switch, where FreeRADIUS rejects requests with the log:

No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

Root Cause:
The TSW202 switch sends only the MAC address as the User-Name in Access-Requests, without providing a password or EAP credential. FreeRADIUS requires an Auth-Type to be set to determine the authentication method. Without a credential, it defaults to rejecting the request.

Solution:
To resolve this, configure FreeRADIUS to treat the MAC address as a PAP password for authentication. This can be done by updating the users file:

DEFAULT Auth-Type := Accept
Cleartext-Password := “%{User-Name}”

Steps:

  1. Open the FreeRADIUS users configuration file:

sudo nano /etc/freeradius/3.0/users

  1. Add the lines above to allow MAC addresses to authenticate.
  2. Save the file and restart FreeRADIUS:

sudo systemctl restart freeradius

  1. Test authentication using the MAC address as both username and password.

This configuration enables FreeRADIUS to accept MAC-only Access-Requests, resolving the “No Auth-Type” rejection while maintaining secure MAC-based authentication.

Please let me know if you need assistance applying this change or testing the setup.

Best regards,
V.