MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

Alan DeKok aland at
Thu Feb 26 15:00:38 CET 2015

On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause at> wrote:
> Yet, we do see:
> - with PEAP:
> ...
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +group authenticate {
> [eap] Badly formatted EAP Message: Ignoring the packet

  That should be pretty obvious.

  This is a textbook case of what *not* to do.  i.e. Post *part* of the debug output.  Ignore the error message.  It can’t be important, right?

> This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.

  Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?

> - with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)
> Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system. 

  Then there’s likely a problem with EAP.  Not with Macsec.

> Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.

  How about trying it *without* macsec?  If it doesn’t work, then the problem isn’t macsec.

  This is a basic “divide and conquer” problem solving skill.

> If anyone has a good starting point to continue debugging further I'm all ears.

  Read the debug output?  Post *all* of it here, so that the experts can read it, and explain it to you?

  Alan DeKok.

More information about the Freeradius-Users mailing list