MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Feb 26 11:35:43 CET 2015


Hi,

> we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.
> 
> For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.
> 
> As per http://lists.freeradius.org/pipermail/freeradius-users/2013-February/065041.html MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done).

1) full debug log is very useful

2) what happens when you send the request directly to FR?

> Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.

ensure you send back the right VSAs on Access-Accept - see the Cisco ISE docs - cisco sometimes also document other RADIUS platforms...but rarely..
and check to see what they are saying to configure the ISE with 

alan


More information about the Freeradius-Users mailing list