MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Mar 2 11:43:11 CET 2015


Hi,

> Do you reckon that using tunneled reply (which we obviously need to support CUI on eduroam) shouldn't break MACSEC? If so, why are is activating it in the FR default config breaking MACSEC in my lab and what might be a possible fix for this?

this sort of thing is usually because you are leaking things from the inner to the outer which clash
with the NAS's idea of whats going on - eg you are leaking the User-Name from the inner to the outer...thus
negating the point of an anonymous outerID - which is what CUI is actually for ;-)

to confirm/verify, either dont play with/expose the inner User-Name or set the client to have the
same outerid as its innerid  (eg classic Windows behaviour)

alan


More information about the Freeradius-Users mailing list