://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-tp5508545p5682672.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of
tying you into Cisco ACS 5 or ISE
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 24.2.2012 at 8:38, in message 4f473e78.2070...@deployingradius.com,
Alan
DeKok al...@deployingradius.com wrote:
Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
Nothing.
RFC 4072 says:
The EAP-Key-Name AVP (Radius Attribute Type 102)
On 2012/02/24 09:38 AM, Alan DeKok wrote:
TTLS doesn't generate it. My guess is that Cisco has invented
something themselves which defines EAP-Key-Name. Find out what that is,
and we can implement it in FreeRADIUS.
This?
http://tools.ietf.org/html/draft-aboba-radext-wlan-15
--
Alan Buxey wrote:
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute
way of tying you into Cisco ACS 5 or ISE
Ah. I have some code for EAP-FAST. I might take a look at it. The
reason it hasn't been integrated is that the vendor who wrote it did it
as pretty much a
On 02/24/2012 07:38 AM, Alan DeKok wrote:
TTLS doesn't generate it. My guess is that Cisco has invented
something themselves which defines EAP-Key-Name. Find out what that is,
and we can implement it in FreeRADIUS.
FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant,
Hello everyone,
I'm trying to configure MACsec (per
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.pdf
) in a test lab using cisco supplicant switch and freeradius 2.1.12.
Cisco docs say: The CAK is delivered in the RADIUS vendor-specific
On 23/02/12 16:26, Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
AFAIK that is not implemented yet.
I've only skimmed them, but AFAIK most AAA servers and EAP methods don't
generate EAP-Key-Name yet. I'm not sure what the correct value for this
Frankly I have no idea. If I understand correctly EAP-Key-Name / MSK value
should be generated somewhere along EAP process when using EAP-TLS or PEAP...
I'm also aware that there are very few radius servers that already support
that. I was only hoping that FR is one of them. ;)
Kind regards,
Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
Nothing.
RFC 4072 says:
The EAP-Key-Name AVP (Radius Attribute Type 102) is of type
OctetString. It contains an opaque key identifier (name) generated
by the EAP method. Exactly how this name
10 matches
Mail list logo
