MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

Krause, Kilian krause at tik.uni-stuttgart.de
Fri Feb 27 09:24:43 CET 2015


Hi Alan,

> > we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-
> C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.
> >
> > For authentication we've got a radiator 4.14 as radius proxy configured
> on the switch and forward all (in this case only EAP) requests onto a
> FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The
> authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.
> >
> > As per http://lists.freeradius.org/pipermail/freeradius-users/2013-
> February/065041.html MACSEC should be working ok (since around 2.2.1 or
> 2.2.2) when uncommenting the relevant part in sites-enabled/default (which
> we've done).
> 
> 1) full debug log is very useful

Here you go:
http://fex.rus.uni-stuttgart.de:8080/fop/cEx9dqNJ/logs.zip


> 2) what happens when you send the request directly to FR?

The above logs are created with direct authentication from switch to FR.

 
> > Since all of the relevant howtos I could find on the 'net either cover
> only the switch config alone or a combination of switch and Cisco ISE I'd
> like to raise the question whether anyone around here has gotten a similar
> setup up and running already.
> 
> ensure you send back the right VSAs on Access-Accept - see the Cisco ISE
> docs - cisco sometimes also document other RADIUS platforms...but rarely..
> and check to see what they are saying to configure the ISE with

Well, what "right" VSAs might that be? Send Cisco-Avpair:linksec-policy=must-secure even though it's already configured on the switchport itself? Sounds not too obvious, but might be worth a try.

TIA!

Best,
Kilian




More information about the Freeradius-Users mailing list