On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause@tik.uni-stuttgart.de> wrote:
Yet, we do see: - with PEAP: ... Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet
That should be pretty obvious. This is a textbook case of what *not* to do. i.e. Post *part* of the debug output. Ignore the error message. It can’t be important, right?
This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.
Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?
- with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)
Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system.
Then there’s likely a problem with EAP. Not with Macsec.
Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
How about trying it *without* macsec? If it doesn’t work, then the problem isn’t macsec. This is a basic “divide and conquer” problem solving skill.
If anyone has a good starting point to continue debugging further I'm all ears.
Read the debug output? Post *all* of it here, so that the experts can read it, and explain it to you? Alan DeKok.