diff --git a/openwisp_radius/api/serializers.py b/openwisp_radius/api/serializers.py
index 0245d5ab..63f12c57 100644
--- a/openwisp_radius/api/serializers.py
+++ b/openwisp_radius/api/serializers.py
@@ -120,7 +120,9 @@ class RadiusPostAuthSerializer(serializers.ModelSerializer):
         allow_blank=True,
         style={'input_type': 'password'},
     )
-    called_station_id = serializers.CharField(required=False, allow_blank=True)
+    called_station_id = serializers.CharField(
+        required=False, allow_blank=True, max_length=50
+    )
     calling_station_id = serializers.CharField(required=False, allow_blank=True)
 
     def validate(self, data):
diff --git a/openwisp_radius/tests/test_api/test_freeradius_api.py b/openwisp_radius/tests/test_api/test_freeradius_api.py
index 30d3d0dd..e283323b 100644
--- a/openwisp_radius/tests/test_api/test_freeradius_api.py
+++ b/openwisp_radius/tests/test_api/test_freeradius_api.py
@@ -590,6 +590,16 @@ def test_postauth_400(self):
         self.assertEqual(RadiusPostAuth.objects.all().count(), 0)
         self.assertEqual(response.status_code, 400)
 
+    def test_postauth_called_station_id_validation(self):
+        payload = {
+            'called_station_id': 'C0-4A-00-EE-D1-0D:' + 'B' * 46
+        }  # taking a >50 char value of called_station_id
+        response = self.client.post(
+            reverse('radius:postauth'), payload, HTTP_AUTHORIZATION=self.auth_header
+        )
+        self.assertEqual(RadiusPostAuth.objects.all().count(), 0)
+        self.assertEqual(response.status_code, 400)
+
     @capture_any_output()
     def test_postauth_no_token_403(self):
         response = self.client.post(reverse('radius:postauth'), {'username': 'tester'})