[RADIATOR] A few questions regarding MacSec
Heikki Vatiainen
hvn at open.com.au
Sat Apr 16 18:54:54 CDT 2016
On 16.04.2016 00:27, Nadav Hod wrote:
> Does Radiator support Macsec for switch-host and switch-switch links?
> The two connection types are quite different. There is a great
> explanation of how Macsec works and what information is exchanged
> here:
>
> https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKCRS-2892.pdf
>
> As you can see, there is more than just the Eap-key-name avpair being
> returned and calculated. However that's what Radiator documentation
> specified as supported.
If you are thinking about the CAK (Connectivity Association Key), it
will be returned with MS-MPPE-Send-Key and MS-MPPE-Recv-Key quite
similar to what TLS based EAP methods too. This is how Radiator already
works: you will have EAP-Key-Name and the MS-MPPE-* attributes in
Access-Accept. The doc you referred to seems to say CAK is returned, but
not how.
See for example Cisco's MacSec deplyment guide and section '2.2.2 IEEE
802.1X and Master Key Distribution'
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.pdf
Thanks,
Heikki
--
Heikki Vatiainen
hvn at open.com.au
More information about the radiator
mailing list