MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

Krause, Kilian krause at
Thu Feb 26 09:29:48 CET 2015


we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.

For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.

As per MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done).

Yet, we do see:
- with PEAP:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Badly formatted EAP Message: Ignoring the packet
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.

This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.

- with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)

Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system. 

Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.

If anyone has a good starting point to continue debugging further I'm all ears.


Best regards,

Kilian Krause 
Netze und Kommunikationssysteme (NKS)

Informations- und Kommunikationszentrum der Universit├Ąt Stuttgart (IZUS)
Technische Informations- und Kommunikationsdienste (TIK, ehem. RUS)

Tel.: +49 (711) 685-64512
Fax.: +49 (711) 685-54512 (PC)
Fax.: +49 (711) 68 23 57

Allmandring 30a
70550 Stuttgart

More information about the Freeradius-Users mailing list