Alan, EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102).
This what Cisco Documentation states: "The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message." >From 802.1X: The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id And from RFC5216: Session-Id = 0x0D || client.random || server.random client.random = Nonce generated by the TLS client. server.random = Nonce generated by the TLS server. So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message. Hope this is what you are expecting. Thanks, Srinivas B -----Original Message----- From: freeradius-users-bounces+sbandari=vitesse....@lists.freeradius.org [mailto:freeradius-users-bounces+sbandari=vitesse....@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 13 February 2013 19:27 To: FreeRadius users mailing list Subject: Re: AVP EAP-KEY name support in FR Srinu Bandari wrote: > We are trying to bring up MACsec with Cisco and FR, and we are stuck > because of Radius unable to send EAP-Key-Name AVP. Below is what is > expected as per RFC4072 Which, as you'll note, is a Diameter spec. FreeRADIUS doesn't implement Diameter. If you can get us a spec saying how to implement EAP-Key-Name, we can do it. Or, send a patch. Until then, it's a mystery. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
