[RADIATOR] MacSec (802.1AE) possible with Radiator?

Andreas Bader Andreas.Bader at rus.uni-stuttgart.de
Fri Feb 24 11:08:15 CST 2012 

Sry. the mail got scrubbed ... here again in plain

---------------------

Hi,

I am actually trying to get a testbed ready for Cisco MacSec with 
Radiator as radius server, but I don't know if this is even possible.
Does Radiator has the needed features? (see links below)
Did anyone tried that already? (I didn't find anything on google or on 
the mailinglist about radiator and macsec).

The main problem ist that cisco uses some new EAP arguments for macsec 
and these seem to require EAP-FAST and EAP-FASTv2.
When you try first without any special config, you will get something 
like "Zero length EAP Session ID" from MKA.
It seems that Macsec needs some attributes like MS-MPPE-Send-Key, 
MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some values, 
the error changes to:
*Mar  1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was NOT 
found for Rx CKN xxxx xxxx xxxx xxxx.
*Mar  1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error: 
INVALID_PARAM).

The problem is, that the CKN (some kind of key) is generated with 
EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally 
calculated by the EAP functions and so I don't know how to specify them 
myself. The Problem is that the CKN is wrong, there is no problems with 
the certs (they are correctly imported at the client machine, etc.).

Everything works with 802.1x without MacSec (802.1AE)!

Here the actual testbed:
We got 1 x Cisco 3750-X, 1 x Cisco 3750.
There we have basically two machines plugged in: A Ubuntu 11.10 machine, 
which is dhcp,bind and radius server (Radiator).
(Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is 4.9.
The other machine is the "client" plugged into the 3750-X with Windows 7 
Professional N and Cisco Anyconnect Secure Mobility Client 3.0.5080.

I also tried freeradius, but it can not really do EAP-FAST, so it does 
not even work when you define some EAP-Key-Name value. (You don't get 
further than the "zero length session id" error mentioned above).

I post you some links below for more information. I don't know if I am 
allowed to post links to Cisco and Freeradius on the mailinglist here, 
sry. if it is not allowed, please delete the links then.

Hopefully somebody knows the right settings for getting this to work. If 
not, is it planned to be implemented in future versions of radiator?

Some of my configs, mainly standardconfigs:
/etc/radiator/users:
[...]
testuser User-Password = "xxx"
         MS-MPPE-Send-Key = "xxx",
         MS-MPPE-Recv-Key = "xxx",
         EAP-Key-Name = "xxx"
[...]

/etc/radiator/radius.cfg
[...]
<Client 192.168.0.2>
     Secret xxx
     NasType Cisco
</Client>

<Client 192.168.0.3>
         Secret xxx
         NasType Cisco
</Client>
[...]
<Handler TunnelledByPEAP=1>
     RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
         Filename %D/users
         EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
         EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
<AuthBy FILE>
         Filename %D/users
         EAPType MSCHAP-V2,MD5,TLS
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
</AuthBy>
</Handler>

<Handler TunnelledByFAST=1>
<AuthBy FILE>
            Filename %D/users
            EAPType MSCHAP-V2,Generic-Token
            AutoMPPEKeys
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
         Filename %D/users
             EAPType FAST,MSCHAP-V2,TTLS,TLS
         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
         EAPTLS_CertificateType PEM
         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
         EAPTLS_PrivateKeyPassword whatever
         EAPTLS_MaxFragmentSize 1000.
         AutoMPPEKeys
         EAPTLS_PEAPVersion 0
         EAPTLS_PEAPBrokenV1Label
         EAPTLS_DHFile %D/certificates/dh2048.pem
</AuthBy>
        PreProcessingHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
        PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
        AcctLogFileName %D/detail

</Handler>
[...]

xxxx always some self chosen strings, containing numbers and characters.

Links for more information:
http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-td5508545.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1316521
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

Best Regards

More information about the radiator mailing list