FreeRADIUS - Auth-Type :=Accept - Am I doing this correctly?

OffstageRoller

I have 2 SSID's on my network.

1. WPA2-Enterprise
2. WPA2-PSK

Both networks are using FreeRADIUS from pfSense as their radius server.

The first network is WPA2-Enterprise and my clients mostly auth with EAP-TLS, although a few use PEAP because I can't get certs on those devices. This works.

The second network uses WPA2-PSK, and I configured UniFi to use Mac Authorization:

Within the FreeRADIUS package for pfSense I configured nothing under the MACs section of the package. However, I did add each of my clients as a user under the Users section. I entered the MAC address of each client for the username and password for that user, and then specified the VLAN I want that user assigned to.

Up to this point, everything works how I expect. But here's where I need some help. If a user is able to connect to this WPA2-PSK network but I don't have a matching MAC address for them in my FreeRADIUS users table, I still want them to connect and go onto a VLAN (666) for unknown devices where I can have ARP Watch notify me about it.

In order to get that working, I added an additional user with no username and password, a VLAN of 666, and in the Additional RADIUS Attributes on the TOP of this entry section I added the following:

DEFAULT NAS-Port-Type = Wireless-802.11, Auth-Type :=Accept

This gets me the result I was hoping for, but I wanted to know if that's the correct way to do this? I'm not 100% sure about this. For example, if that user is above my users that use EAP-TLS, those users can no longer authenticate. But if this user with VLAN 666 is at the bottom of my user list, everything works how I want it to.