In this example you add the MAC address of the ASA into the internal user database rather than the host identity store. I just put it into the host identity store and it worked fine. Any reason why you didn't do it this way?
You mention the following.
Technically, MAB-EAP cannot use the same Host Lookup mechanism for two reasons:
- The RADIUS Service-Type attribute value is Framed, and Host Lookup works only for when attribute value is Call-Check.
- EAP-MD5 uses the CHAP protocol to create a hash of the password, so it actually requires the authentication to be username/password based.
I just had to enable detect host lookup for EAP-MD5 in the allowed protocols for my Access policy.