MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5
Alan DeKok
aland at deployingradius.com
Thu Feb 26 15:00:38 CET 2015
On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause at tik.uni-stuttgart.de> wrote:
> Yet, we do see:
> - with PEAP:
> ...
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +group authenticate {
> [eap] Badly formatted EAP Message: Ignoring the packet
That should be pretty obvious.
This is a textbook case of what *not* to do. i.e. Post *part* of the debug output. Ignore the error message. It can’t be important, right?
> This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.
Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?
> - with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)
>
> Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system.
Then there’s likely a problem with EAP. Not with Macsec.
> Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
How about trying it *without* macsec? If it doesn’t work, then the problem isn’t macsec.
This is a basic “divide and conquer” problem solving skill.
> If anyone has a good starting point to continue debugging further I'm all ears.
Read the debug output? Post *all* of it here, so that the experts can read it, and explain it to you?
Alan DeKok.
More information about the Freeradius-Users
mailing list