MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

A.L.M.Buxey at A.L.M.Buxey at
Mon Mar 2 15:42:28 CET 2015


> I've already implemented a reset of the outer User-Name reply in post-auth to the one received in the outer tunnel request. Somewhat that feels a bit counter intuitive but it was the logical consequence of the howto telling me I'd need use_tunneled_reply for CUI to work at all. I'd love to not use use_tunneled_reply, but so far my tests failed to update the outer reply with the value from the inner tunnel directly. So, how would I be leaking just this info about the "real" user-Name from the inner tunnel alone without use_tunneled_reply?

you can choose which items to copy from the inner to outer rather than just copying the
whole lot (update the outer section in unlang)

> So do you reckon it's either CUI or MACSEC working? Can use_tunneled_reply be updated dynamically based upon NAS-Port-Type?

you could proxy to a different virtual-server based on the NAS-Port-Type...which could then
have different configs

> I'm also still trying to understand what breaks PEAP-MSCHAPv2 when pulling authentication from AD rather than using local accounts on the FR (the latter works just fine with MACSEC).

because you are using LDAP to talk to AD and therefore you dont get the plain password
as required?   use ntlm_auth with the system bound to the AD


More information about the Freeradius-Users mailing list