[RADIATOR] A few questions regarding MacSec

Nadav Hod nadav.hod at comm-it.co.il
Fri Apr 15 09:27:34 CDT 2016

Thanks for the quick reply Heikki.

Does Radiator support Macsec for switch-host and switch-switch links? The two connection types are quite different.
There is a great explanation of how Macsec works and what information is exchanged here:


As you can see, there is more than just the Eap-key-name avpair being returned and calculated. However that's what Radiator documentation specified as supported.

From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Heikki Vatiainen [hvn at open.com.au]
Sent: Thursday, April 14, 2016 9:52 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] A few questions regarding MacSec

On 14.04.2016 00:54, Nadav Hod wrote:

> 1) Is it possible to implement MacSec with compatible Cisco switches and
> supplicants (such as AnyConnect) using Radiator, but without Cisco
> ISE/ACS? Is any other software necessary?

MacSec from the RADIUS server perspective requires just calculating the
EAP-Key-Name when EAP-Key-Name with value of 0x00 (or empty value) is
received in the Access-Request.

For this reason I don't think any other software is necessary on the
Radiator side.

> 2) Does Microsoft NPS 2008/2012 also support MacSec without an ISE/ACS
> server? If not do you know why it can't authenticate a supplicant? Is
> there documentation of this?

That I do not know. I think the MS documentation for NPS will tell if it
supports MacSec.

> 3) Where can I find an example of MacSec configuration for Radiator?

There's nothing to configure with Radiator. When the EAP-Key-Name is
present, as described above, Radiator will calculate and reply with
EAP-Key-Name in Access-Accept.


Heikki Vatiainen
hvn at open.com.au
radiator mailing list
radiator at open.com.au

More information about the radiator mailing list