MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

A.L.M.Buxey at A.L.M.Buxey at
Thu Feb 26 11:35:43 CET 2015


> we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.
> For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.
> As per MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done).

1) full debug log is very useful

2) what happens when you send the request directly to FR?

> Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.

ensure you send back the right VSAs on Access-Accept - see the Cisco ISE docs - cisco sometimes also document other RADIUS platforms...but rarely..
and check to see what they are saying to configure the ISE with 


More information about the Freeradius-Users mailing list