Configuring freeradius for MACsec
Matija Levec
Matija.Levec at astec.si
Thu Feb 23 17:26:31 CET 2012
Hello everyone,
I'm trying to configure MACsec (per http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.pdf ) in a test lab using cisco supplicant & switch and freeradius 2.1.12.
Cisco docs say: "The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key." "...authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message."
With successful EAP-TLS authentication the Access-Accept message sent from freeradius looks like this:
Sending Access-Accept of id 37 to 10.20.64.9 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "123"
MS-MPPE-Recv-Key = 0x84e5c624c3bcdeadca3c6210f24bd7b8336921ccc1c58399d397afc75770332c
MS-MPPE-Send-Key = 0xa6c4860cc8092c251502f5adc3ee13586e05fe84cbbb8b6793b08d9523d12b1f
EAP-Message = 0x03640004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user1"
What should be configured for radius to also send EAP-Key-Name AVP?
Kind regards,
Matija Levec
More information about the Freeradius-Users
mailing list