Hello everyone,
I'm trying to configure MACsec (per
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.pdf
) in a test lab using cisco supplicant & switch and freeradius 2.1.12.
Cisco docs say: "The CAK is delivered in the RADIUS vendor-specific attributes
(VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key." "...authentication server sends
an EAP key identifier that is derived from the EAP exchange and is delivered to
the authenticator in the EAP Key-Name attribute of the Access-Accept message."
With successful EAP-TLS authentication the Access-Accept message sent from
freeradius looks like this:
Sending Access-Accept of id 37 to 10.20.64.9 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "123"
MS-MPPE-Recv-Key =
0x84e5c624c3bcdeadca3c6210f24bd7b8336921ccc1c58399d397afc75770332c
MS-MPPE-Send-Key =
0xa6c4860cc8092c251502f5adc3ee13586e05fe84cbbb8b6793b08d9523d12b1f
EAP-Message = 0x03640004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user1"
What should be configured for radius to also send EAP-Key-Name AVP?
Kind regards,
Matija Levec
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
