[RADIATOR] A few questions regarding MacSec

Heikki Vatiainen hvn at open.com.au
Sat Apr 16 18:54:54 CDT 2016

On 16.04.2016 00:27, Nadav Hod wrote:

> Does Radiator support Macsec for switch-host and switch-switch links?
> The two connection types are quite different. There is a great
> explanation of how Macsec works and what information is exchanged
> here:
> https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKCRS-2892.pdf
> As you can see, there is more than just the Eap-key-name avpair being
> returned and calculated. However that's what Radiator documentation
> specified as supported.

If you are thinking about the CAK (Connectivity Association Key), it 
will be returned with MS-MPPE-Send-Key and MS-MPPE-Recv-Key quite 
similar to what TLS based EAP methods too. This is how Radiator already 
works: you will have EAP-Key-Name and the MS-MPPE-* attributes in 
Access-Accept. The doc you referred to seems to say CAK is returned, but 
not how.

See for example Cisco's MacSec deplyment guide and section '2.2.2 IEEE 
802.1X and Master Key Distribution'



Heikki Vatiainen
hvn at open.com.au

More information about the radiator mailing list