MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

[Krause, Kilian]

Hi Alan,

> On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause at tik.uni-stuttgart.de>
> wrote:
> > Yet, we do see:
> > - with PEAP:
> > ...
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> > +group authenticate {
> > [eap] Badly formatted EAP Message: Ignoring the packet
> 
>   That should be pretty obvious.
> 
>   This is a textbook case of what *not* to do.  i.e. Post *part* of the
> debug output.  Ignore the error message.  It can’t be important, right?

If there would have been anything above that would have looked like an error, I'd surely have copied it here. For now I was hoping this is sort of a FAQ (well, probably MACSEC is still somewhat too new to be actually widespread enough and call this question "frequent") and there might be an easy and short way to fixing this. 

 
> > This seems to be identical whether use_mppe is set to 'yes' or 'no' in
> modules/mschap.
> 
>   Hmmm… editing the server configuration will make the client magically
> start sending correct EAP packets?

As you may see here, I'm not yet fully understanding which part of the state machine between server and client is stopping where. It may or may not be the FR or the client or the EAP. I just don't know yet. And exactly that is what I'm trying to find out first.


> > - with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in
> sites-enabled/default)
> >
> > Even though EAP-TTLS is sending an Access-Accept I don't get the
> AnyConnect supplicant to be happy about it and the auth is stuck in an
> authentication loop without actually getting connectivity to the system.
> 
>   Then there’s likely a problem with EAP.  Not with Macsec.

Ok. Then we should look at that first I guess.


> > Since all of the relevant howtos I could find on the 'net either cover
> only the switch config alone or a combination of switch and Cisco ISE I'd
> like to raise the question whether anyone around here has gotten a similar
> setup up and running already.
> 
>   How about trying it *without* macsec?  If it doesn’t work, then the
> problem isn’t macsec.

Above you say that the problem isn't with Macsec. And trying without works just fine. The switchport and the vlan is working flawlessly.

 
>   This is a basic “divide and conquer” problem solving skill.
> 
> > If anyone has a good starting point to continue debugging further I'm
> all ears.
> 
>   Read the debug output?  Post *all* of it here, so that the experts can
> read it, and explain it to you?

See http://fex.rus.uni-stuttgart.de:8080/fop/cEx9dqNJ/logs.zip and explain it to me then.

TIA!

Best,
Kilian