Re: Configuring freeradius for MACsec
I have succesfully tested MACsec with the Cisco ACS 5.3.0.40 and EAP-FAST as EAP-Method. The EAP-Key-Name sent by the ACS is constructed like this: rfc4851: 3.5. EAP-FAST Session Identifier The EAP session identifier is constructed using the random values provided by the peer and server during the TLS tunnel establishment. The Session-Id is defined as follows: Session-Id = 0x2B || client_random || server_random) client_random = 32 byte nonce generated by the peer server_random = 32 byte nonce generated by the server Quoted from the Cisco MACsec Deployment Guide: The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. Note: MACsec is similar to IEEE 802.11i. If you are familiar with the wireless encryption mechanisms defined in IEEE 802.11i, you will notice similarities with MACsec. In IEEE 802.11i, the MSK derived from EAP is used to generate a pairwise master key (PMK) on the supplicant and the authentication server. The authentication server transmits the PMK to the authenticator through the Microsoft Point-to-Point Encryption (MPPE) VSAs. Thus, the PMK is the wireless analogue of the CAK. However, the use of the EAP Key-Name value is unique to MACsec. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-tp5508545p5682672.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 24.2.2012 at 8:38, in message 4f473e78.2070...@deployingradius.com, Alan DeKok al...@deployingradius.com wrote: Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? Nothing. RFC 4072 says: The EAP-Key-Name AVP (Radius Attribute Type 102) is of type OctetString. It contains an opaque key identifier (name) generated by the EAP method. Exactly how this name is used depends on the link layer in question, and is beyond the scope of this document (see [EAPKey] for more discussion). Note that not all link layers use this name, and currently most EAP methods do not generate it. TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is very likely the case. :( I'll try to get ACS 5.x and get any useful info out of it - not being very optimistic though. I'd like to thank everyone for their comments. Kind regards, Matija Levec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 2012/02/24 09:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. This? http://tools.ietf.org/html/draft-aboba-radext-wlan-15 -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Alan Buxey wrote: Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE Ah. I have some code for EAP-FAST. I might take a look at it. The reason it hasn't been integrated is that the vendor who wrote it did it as pretty much a hack. They duplicated much of the TLS code from EAP-TLS, instead of re-using it as with PEAP and TTLS. Out of general principle, that needs to be fixed before it's integrated. Duplicate code increases bugs and maintenance costs. If anyone is interested in fixing it, I can put the code on github. It's probably not that hard to fix it, it just takes time I don't have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 02/24/2012 07:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant, saying that: EAP-Key-Name = eap type || eap session id ...and appendix A lists Peer-Id, Server-Id and Session-Id values for existing methods. Sadly, since neither PEAP nor TTLS were ever standardised, it skips those :o( RFC 5216 suggests that EAP-TLS, and possibly all TLS-based methods in the absence of an alternative, might define EAP-Key-Name as: eap type || 0x0d || tls client random || tls server random But it's all very unclear, and I'm struggling to see what the point is; what is all this crud for? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring freeradius for MACsec
Hello everyone, I'm trying to configure MACsec (per http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.pdf ) in a test lab using cisco supplicant switch and freeradius 2.1.12. Cisco docs say: The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. ...authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. With successful EAP-TLS authentication the Access-Accept message sent from freeradius looks like this: Sending Access-Accept of id 37 to 10.20.64.9 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 123 MS-MPPE-Recv-Key = 0x84e5c624c3bcdeadca3c6210f24bd7b8336921ccc1c58399d397afc75770332c MS-MPPE-Send-Key = 0xa6c4860cc8092c251502f5adc3ee13586e05fe84cbbb8b6793b08d9523d12b1f EAP-Message = 0x03640004 Message-Authenticator = 0x User-Name = user1 What should be configured for radius to also send EAP-Key-Name AVP? Kind regards, Matija Levec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 23/02/12 16:26, Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? AFAIK that is not implemented yet. I've only skimmed them, but AFAIK most AAA servers and EAP methods don't generate EAP-Key-Name yet. I'm not sure what the correct value for this attribute would even *be*. Do you know? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Frankly I have no idea. If I understand correctly EAP-Key-Name / MSK value should be generated somewhere along EAP process when using EAP-TLS or PEAP... I'm also aware that there are very few radius servers that already support that. I was only hoping that FR is one of them. ;) Kind regards, Matija Levec Phil Mayers 02/23/12 6:48 PM On 23/02/12 16:26, Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? AFAIK that is not implemented yet. I've only skimmed them, but AFAIK most AAA servers and EAP methods don't generate EAP-Key-Name yet. I'm not sure what the correct value for this attribute would even *be*. Do you know? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? Nothing. RFC 4072 says: The EAP-Key-Name AVP (Radius Attribute Type 102) is of type OctetString. It contains an opaque key identifier (name) generated by the EAP method. Exactly how this name is used depends on the link layer in question, and is beyond the scope of this document (see [EAPKey] for more discussion). Note that not all link layers use this name, and currently most EAP methods do not generate it. TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html