I have succesfully tested MACsec with the Cisco ACS 5.3.0.40 and EAP-FAST as EAP-Method. The EAP-Key-Name sent by the ACS is constructed like this:
rfc4851: 3.5. EAP-FAST Session Identifier The EAP session identifier is constructed using the random values provided by the peer and server during the TLS tunnel establishment. The Session-Id is defined as follows: Session-Id = 0x2B || client_random || server_random) client_random = 32 byte nonce generated by the peer server_random = 32 byte nonce generated by the server Quoted from the Cisco MACsec Deployment Guide: The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. Note: MACsec is similar to IEEE 802.11i. If you are familiar with the wireless encryption mechanisms defined in IEEE 802.11i, you will notice similarities with MACsec. In IEEE 802.11i, the MSK derived from EAP is used to generate a pairwise master key (PMK) on the supplicant and the authentication server. The authentication server transmits the PMK to the authenticator through the Microsoft Point-to-Point Encryption (MPPE) VSAs. Thus, the PMK is the wireless analogue of the CAK. However, the use of the EAP Key-Name value is unique to MACsec. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-tp5508545p5682672.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html