[RADIATOR] A few questions regarding MacSec

Heikki Vatiainen hvn at open.com.au
Thu Apr 14 01:52:02 CDT 2016

On 14.04.2016 00:54, Nadav Hod wrote:

> 1) Is it possible to implement MacSec with compatible Cisco switches and
> supplicants (such as AnyConnect) using Radiator, but without Cisco
> ISE/ACS? Is any other software necessary?

MacSec from the RADIUS server perspective requires just calculating the 
EAP-Key-Name when EAP-Key-Name with value of 0x00 (or empty value) is 
received in the Access-Request.

For this reason I don't think any other software is necessary on the 
Radiator side.

> 2) Does Microsoft NPS 2008/2012 also support MacSec without an ISE/ACS
> server? If not do you know why it can't authenticate a supplicant? Is
> there documentation of this?

That I do not know. I think the MS documentation for NPS will tell if it 
supports MacSec.

> 3) Where can I find an example of MacSec configuration for Radiator?

There's nothing to configure with Radiator. When the EAP-Key-Name is 
present, as described above, Radiator will calculate and reply with 
EAP-Key-Name in Access-Accept.


Heikki Vatiainen
hvn at open.com.au

More information about the radiator mailing list