RADIUS attribute from rfc7268


The Allowed-Called-Station-Id Attribute allows the RADIUS server
      to specify the authenticator MAC addresses and/or networks to
      which the user is allowed to connect.  One or more Allowed-Called-
      Station-Id Attributes MAY be included in an Access-Accept, CoA-
      Request, or Accounting-Request packet.

      The Allowed-Called-Station-Id Attribute can be useful in
      situations where pre-authentication is supported (e.g., IEEE
      802.11 pre-authentication).  In these scenarios, a Called-Station-
      Id Attribute typically will not be included within the Access-
      Request so that the RADIUS server will not know the network that
      the user is attempting to access.  The Allowed-Called-Station-Id
      enables the RADIUS server to restrict the networks and attachment
      points to which the user can subsequently connect.

      A summary of the Allowed-Called-Station-Id Attribute format is
      shown below.  The fields are transmitted from left to right.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |     Type      |  Length       |            String...






      The String field is one or more octets, specifying a Called-
      Station-Id that the user MAY connect to; if the Called-Station-Id
      that the user connects to does not match one of the Allowed-
      Called-Station-Id Attributes, the Network Access Server (NAS) MUST
      NOT permit the user to access the network.In the case of IEEE 802, the Allowed-Called-Station-Id Attribute
      is used to store the Medium Access Control (MAC) address,
      represented as an uppercase ASCII character string in Canonical
      format and with octet values separated by a "-", for example,
      "00-10-A4-23-19-C0".  Where restrictions on both the network and
      authenticator MAC address usage are intended, the network name
      MUST be appended to the authenticator MAC address, separated from
      the MAC address with a ":", for example, "00-10-A4-23-19-C0:AP1".
      Where no MAC address restriction is intended, the MAC address
      field MUST be omitted, but ":" and the network name field MUST be
      included, for example, ":AP1".

      Within IEEE 802.11 , the Service Set Identifier
      (SSID) constitutes the network name; within IEEE 802.1X
       wired networks, the Network-Id Name (NID-Name)
      constitutes the network name.  Since a NID-Name can be up to 253
      octets in length, when used with  wired networks,
      there may not be sufficient room within the Allowed-Called-
      Station-Id Attribute to include both a MAC address and a network
      name.  However, as the Allowed-Called-Station-Id Attribute is
      expected to be used largely in wireless access scenarios, this
      restriction is not considered serious.