Switch#sh mka statistics inter Switch#show mka statistics interface G1/0/1

MKA Statistics for Session ========================== Reauthentication Attempts.. 0

CA Statistics Pairwise CAKs Derived… 0 Pairwise CAK Rekeys….. 0 Group CAKs Generated…. 0 Group CAKs Received….. 0

SA Statistics SAKs Generated………. 1 SAKs Rekeyed………… 0 SAKs Received……….. 0 SAK Responses Received.. 1

MKPDU Statistics MKPDUs Validated & Rx… 89585 “Distributed SAK”.. 0 “Distributed CAK”.. 0 MKPDUs Transmitted…… 89596 “Distributed SAK”.. 1 “Distributed CAK”.. 0

Switch#show mka ?

default-policy MKA Default Policy details

keychains

MKA Pre-Shared-Key Key-Chains

policy

MKA Policy configuration information

presharedkeys MKA Preshared Keys

sessions

MKA Sessions summary

statistics

Global MKA statistics

summary

MKA Sessions summary & global statistics

Switch#show mka summ Switch#show mka summary

Total MKA Sessions……. 1 Secured Sessions… 1 Pending Sessions… 0

MACsec and the MACsec Key Agreement (MKA) Protocol 6

MACsec and the MACsec Key Agreement (MKA) Protocol

MKA Statistics

====================================================================================================

Interface

Local-TxSCI

Policy-Name

Inherited

Key-Server

Port-ID

Peer-RxSCI

MACsec-Peers

Status

CKN

====================================================================================================

Gi1/0/1

204c.9e85.ede4/002b p2

NO

YES

43

c800.8459.e764/002a 1

Secured

0100000000000000000000000000000000000000000000000000000000000000

MKA Global Statistics ===================== MKA Session Totals
Secured……………….. 1 Reauthentication Attempts.. 0
Deleted (Secured)………. 0 Keepalive Timeouts……… 0
CA Statistics Pairwise CAKs Derived…… 0 Pairwise CAK Rekeys…….. 0 Group CAKs Generated……. 0 Group CAKs Received…….. 0
SA Statistics SAKs Generated…………. 1 SAKs Rekeyed…………… 0 SAKs Received………….. 0 SAK Responses Received….. 1
MKPDU Statistics MKPDUs Validated & Rx…… 89589 “Distributed SAK”….. 0 “Distributed CAK”….. 0 MKPDUs Transmitted……… 89600 “Distributed SAK”….. 1 “Distributed CAK”….. 0
MKA Error Counter Totals ======================== Session Failures
Bring-up Failures……………. 0 Reauthentication Failures…….. 0 Duplicate Auth-Mgr Handle…….. 0
SAK Failures SAK Generation………………. 0 Hash Key Generation………….. 0 SAK Encryption/Wrap………….. 0 SAK Decryption/Unwrap………… 0 SAK Cipher Mismatch………….. 0
CA Failures Group CAK Generation…………. 0 Group CAK Encryption/Wrap…….. 0 Group CAK Decryption/Unwrap…… 0 Pairwise CAK Derivation………. 0 CKN Derivation………………. 0 ICK Derivation………………. 0 KEK Derivation………………. 0 Invalid Peer MACsec Capability… 0
MACsec Failures Rx SC Creation………………. 0

MACsec and the MACsec Key Agreement (MKA) Protocol 7

How to Configure MACsec Encryption

MACsec and the MACsec Key Agreement (MKA) Protocol

Tx SC Creation………………. 0 Rx SA Installation…………… 0 Tx SA Installation…………… 0
MKPDU Failures MKPDU Tx……………………. 0 MKPDU Rx Validation………….. 0 MKPDU Rx Bad Peer MN…………. 0 MKPDU Rx Non-recent Peerlist MN.. 0
Switch#
How to Configure MACsec Encryption
Prerequisites for MACsec Encryption
Prerequisites for MACsec Encryption: · Ensure that 802.1x authentication and AAA are configured on your device.
Configuring MKA and MACsec
Default MACsec MKA Configuration
MACsec is disabled. No MKA policies are configured.
MKA-PSK: CKN Behavior Change
To interoperate with Cisco switches running Classic Cisco IOS, the CKN configuration must be zero-padded. From Cisco IOS XE Everest Release 16.6.1 onwards, for MKA-PSK sessions, instead of fixed 32 bytes, the Connectivity Association Key name (CKN) uses exactly the same string as the CKN, which is configured as the hex-string for the key. Example configuration:
configure terminal key chain KEYCHAINONE macsec key 1234 cryptographic- algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 infinite end
For the above example, following is the output for the show mka session command:

MACsec and the MACsec Key Agreement (MKA) Protocol 8

MACsec and the MACsec Key Agreement (MKA) Protocol

MKA-PSK: CKN Behavior Change

Note that the CKN key-string is exactly the same that has been configured for the key as hex-string. For interoperability between platforms running IOS XE and platforms running classic IOS, one having the CKN behavior change and one without the CKN behavior change, the hex-string for the key must be a 64-character hex-string padded with zeros to work on a device that has an image with the CKN behavior change. See the example below: Configuration without CKN key-string behavior change:
config t key chain KEYCHAINONE macsec key 1234 cryptographic-algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 infinite
Output:
Configuration with CKN key-string behavior change:
config t key chain KEYCHAINONE macsec key 1234000000000000000000000000000000000000000000000000000000000000 cryptographic-algorithm aes-128-cmac key-string 123456789ABCDEF0123456789ABCDEF0 lifetime local 12:21:00 Sep 9 2015 infinite
Output:
MACsec and the MACsec Key Agreement (MKA) Protocol 9

Configuring an MKA Policy

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring an MKA Policy

SUMMARY STEPS

1. configure terminal 2. mka policy policy name 3. send-secure-announcements 4. key-server priority 5. include-icv-indicator 6. macsec-cipher-suite gcm- aes-128 7. confidentiality-offset Offset value 8. end 9. show mka policy

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 mka policy policy name

Step 3 send-secure-announcements

Purpose Enter global configuration mode.

Identify an MKA policy, and enter MKA policy configuration mode. The maximum policy name length is 16 characters.

Note

The default MACsec cipher suite in the MKA

policy will always be “GCM-AES-128”. If the

device supports both “GCM-AES-128” and

“GCM-AES-256” ciphers, it is highly

recommended to define and use a user defined

MKA policy to include both 128 and 256 bits

ciphers or only 256 bits cipher, as may be

required.

Enabled secure announcements.

Note

By default, secure announcements are

disabled.

MACsec and the MACsec Key Agreement (MKA) Protocol 10

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring MACsec on an Interface

Step 4

Command or Action key-server priority

Step 5 include-icv-indicator Step 6 macsec-cipher-suite gcm-aes-128 Step 7 confidentiality-offset Offset value

Step 8 Step 9

end show mka policy

Purpose

Configure MKA key server options and set priority (between 0-255).

Note

When value of key server priority is set to 255,

the peer can not become the key server. The

key server priority value is valid only for

MKA PSK; and not for MKA EAPTLS.

Enables the ICV indicator in MKPDU. Use the no form of this command to disable the ICV indicator — no include-icv-indicator.

Configures cipher suite for deriving SAK with 128-bit encryption.

Set the Confidentiality (encryption) offset for each physical interface

Note

Offset Value can be 0, 30 or 50. If you are

using Anyconnect on the client, it is

recommended to use Offset 0.

Returns to privileged EXEC mode.

Verify your entries.

Example
This example configures the MKA policy:
Switch(config)# mka policy mka_policy Switch(config-mka-policy)# key-server priority 200 Switch(config-mka-policy)# macsec-cipher-suite gcm-aes-128 Switch (config-mka-policy)# confidentiality-offset 30 Switch(config-mka-policy)# end

Configuring MACsec on an Interface
Follow these steps to configure MACsec on an interface with one MACsec session for voice and one for data:

SUMMARY STEPS

1. enable 2. configure terminal 3. interface interface-id 4. switchport access vlan vlan-id 5. switchport mode access 6. macsec 7. authentication event linksec fail action authorize vlan vlan-id 8. authentication host-mode multi-domain

MACsec and the MACsec Key Agreement (MKA) Protocol 11

Configuring MACsec on an Interface

MACsec and the MACsec Key Agreement (MKA) Protocol

9. authentication linksec policy must-secure 10. authentication port-control auto 11. authentication periodic 12. authentication timer reauthenticate 13. authentication violation protect 14. mka policy policy name 15. dot1x pae authenticator 16. spanning-tree portfast 17. end 18. show authentication session interface interface-id 19. show authentication session interface interface-id details 20. show macsec interface interface-id 21. show mka sessions 22. copy running-config startup-config

DETAILED STEPS

Step 1

Command or Action enable Example:
Switch>enable

Purpose
Enables privileged EXEC mode. Enter the password if prompted.

Step 2

configure terminal Example:
Switch>configure terminal

Enter global configuration mode.

Step 3

interface interface-id

Identify the MACsec interface, and enter interface configuration mode. The interface must be a physical interface.

Step 4

switchport access vlan vlan-id

Configure the access VLAN for the port.

Step 5

switchport mode access

Configure the interface as an access port.

Step 6

macsec

Enable 802.1ae MACsec on the interface. The macsec command enables MKA MACsec on switch-to-host links (downlink ports) only.

Step 7

authentication event linksec fail action authorize vlan (Optional) Specify that the switch processes authentication

vlan-id

link-security failures resulting from unrecognized user

credentials by authorizing a restricted VLAN on the port

after a failed authentication attempt.

Step 8

authentication host-mode multi-domain

Configure authentication manager mode on the port to allow both a host and a voice device to be authenticated on the 802.1x-authorized port. If not configured, the default host mode is single.

MACsec and the MACsec Key Agreement (MKA) Protocol 12

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring MACsec on an Interface

Step 9 Step 10 Step 11 Step 12 Step 13
Step 14
Step 15 Step 16
Step 17
Step 18 Step 19 Step 20 Step 21 Step 22

Command or Action authentication linksec policy must-secure

Purpose
Set the LinkSec security policy to secure the session with MACsec if the peer is available. If not set, the default is should secure.

authentication port-control auto

Enable 802.1x authentication on the port. The port changes to the authorized or unauthorized state based on the authentication exchange between the switch and the client.

authentication periodic

Enable or Disable Reauthentication for this port.

authentication timer reauthenticate

Enter a value between 1 and 65535 (in seconds). Obtains re-authentication timeout value from the server. Default re-authentication time is 3600 seconds.

authentication violation protect

Configure the port to drop unexpected incoming MAC addresses when a new device connects to a port or when a device connects to a port after the maximum number of devices are connected to that port. If not configured, the default is to shut down the port.

mka policy policy name

Apply an existing MKA protocol policy to the interface, and enable MKA on the interface. If no MKA policy was configured (by entering the mka policy global configuration command).

dot1x pae authenticator

Configure the port as an 802.1x port access entity (PAE) authenticator.

spanning-tree portfast

Enable spanning tree Port Fast on the interface in all its associated VLANs. When Port Fast feature is enabled, the interface changes directly from a blocking state to a forwarding state without making the intermediate spanning- tree state changes

end Example:
Switch (config)#end

Returns to privileged EXEC mode.

show authentication session interface interface-id

Verify the authorized session security status.

show authentication session interface interface-id details Verify the details of the security status of the authorized session.

show macsec interface interface-id

Verify MacSec status on the interface.

show mka sessions

Verify the established mka sessions.

copy running-config startup-config Example:
Switch#copy running-config startup-config

(Optional) Saves your entries in the configuration file.

MACsec and the MACsec Key Agreement (MKA) Protocol 13

Configuring MACsec MKA using Pre Shared Key (PSK)

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring MACsec MKA using Pre Shared Key (PSK)

SUMMARY STEPS

1. configure terminal 2. key chain key-chain-name macsec 3. key hex-string 4. cryptographic-algorithm {gcm-aes-128 | gcm-aes-256} 5. key-string { [0|6|7] pwd-string | pwd-string} 6. lifetime local [start timestamp {hh::mm::ss | day | month | year}] [duration seconds | end timestamp
{hh::mm::ss | day | month | year}] 7. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 key chain key-chain-name macsec

Step 3 key hex-string

Purpose Enter global configuration mode.

Configures a key chain and enters the key chain configuration mode.

Configures a unique identifier for each key in the keychain and enters the keychain’s key configuration mode.

Note

For 128-bit encryption, use 32 hex digit

key-string. For 256-bit encryption, use 64 hex

digit key-string.

Step 4 Step 5 Step 6 Step 7

cryptographic-algorithm {gcm-aes-128 | gcm-aes-256} Set cryptographic authentication algorithm with 128-bit or 256-bit encryption.

key-string { [0|6|7] pwd-string | pwd-string}

Sets the password for a key string. Only hex characters must be entered..

lifetime local [start timestamp {hh::mm::ss | day | month Sets the lifetime of the pre shared key. | year}] [duration seconds | end timestamp {hh::mm::ss | day | month | year}]

end

Returns to privileged EXEC mode.

Example
Following is an indicative example:
Switch(config)# Key chain keychain1 macsec Switch(config-key-chain)# key 1000 Switch(config-keychain-key)# cryptographic-algorithm gcm-aes-128 Switch (config-keychain-key)# key-string 12345678901234567890123456789012 Switch (config-keychain-key)# lifetime local 12:12:00 July 28 2016 12:19:00 July 28 2016 Switch(config-keychain-key)# end

MACsec and the MACsec Key Agreement (MKA) Protocol 14

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring MACsec MKA on an Interface using PSK

Configuring MACsec MKA on an Interface using PSK

Note To avoid traffic drop across sessions, the mka policy command must be configured before the mka pre-shared-key key-chain command.

SUMMARY STEPS

1. configure terminal 2. interface interface-id 3. macsec access-control {must-secure | should-secure} 4. macsec 5. mka policy policy-name 6. mka pre- shared-key key-chain key-chain name 7. macsec replay-protection window-size frame number 8. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 interface interface-id

Step 3 macsec access-control {must-secure | should-secure}

Purpose
Enter global configuration mode.
Enters interface configuration mode.
(Optional) Controls the behavior of unencrypted packets.
· should-secure : Allows unencrypted traffic to flow until the MKA session is secured. After the MKA session is secured, only encrypted traffic can flow.
· must-secure : Imposes that only MACsec encrypted traffic can flow. Hence, until the MKA session is secured, traffic is dropped.

Step 4 Step 5 Step 6 Step 7 Step 8

macsec mka policy policy-name mka pre-shared-key key-chain key-chain name macsec replay-protection window-size frame number end

Enables MACsec on the interface. Configures an MKA policy. Configures an MKA pre-shared-key key-chain name. Sets the MACsec window size for replay protection. Returns to privileged EXEC mode.

Example
The following example configures an MKA policy and an MKA pre-shared-key key- chain name, and sets the MACsec window size for replay protection:

MACsec and the MACsec Key Agreement (MKA) Protocol 15

Configuring Certificate Based MACsec

MACsec and the MACsec Key Agreement (MKA) Protocol

Switch(config)# interface GigabitEthernet 1/1 Switch(config-if)# mka policy mka_policy Switch(config-if)# mka pre-shared-key key-chain key-chain-name Switch(config-if)# macsec replay-protection window-size 10 Switch(config-if)# end
Note It is not recommended to change the MKA policy on an interface with MKA PSK configured when the session is running. However, if a change is required, you must reconfigure the policy as follows: 1. Disable the existing session by removing macsec configuration on each of the participating nodes using the no macsec command. 2. Configure the MKA policy on the interface on each of the participating nodes using the mka policy policy-name command. 3. Enable the new session on each of the participating node by using the macsec command.
The following examples show how to configure the interface to use should- secure instead of the default must-secure and how to change it back to the default must-secure.
Note Modifying access-control is not allowed when the session is up and running. You first need to remove the MACsec configuration by using the no macsec command, and then configure access-control.
Example 1: To change from must-secure to should-secure:
Switch(config-if)#no macsec Switch(config-if)#macsec access-control should- secure Switch(config-if)#macsec // this switches the access-control from must- secure & restarts the macsec session with new behaviour.
Example 2: To change from should-secure to must-secure:
Switch(config-if)#no macsec Switch(config-if)#no macsec access-control Switch (config-if)#macsec
Configuring Certificate Based MACsec
To configure MACsec with MKA on point-to-point links, perform these tasks: · Generating Key Pairs · Configuring Enrollment using SCEP · Configuring Enrollment Manually · Configuring Switch-to-Switch MACsec Encryption, on page 23

MACsec and the MACsec Key Agreement (MKA) Protocol 16

MACsec and the MACsec Key Agreement (MKA) Protocol

Prerequisites for Certificate Based MACsec

Prerequisites for Certificate Based MACsec
· Ensure that you have a Certificate Authority (CA) server configured for your network. · Generate a CA certificate. · Ensure that you have configured Cisco Identity Services Engine (ISE). · Ensure that 802.1x authentication and AAA are configured on your device.

Generating Key Pairs

SUMMARY STEPS

1. enable 2. configure terminal 3. crypto key generate rsa label label-name general-keys modulus size 4. end 5. show authentication session interface interface-id

DETAILED STEPS

Step 1

Command or Action enable Example:
Device> enable

Purpose Enables privileged EXEC mode. Enter your password, if prompted.

Step 2

configure terminal Example:
Device# configure terminal

Enters global configuration mode.

Step 3

crypto key generate rsa label label-name general-keys modulus size
Example:
Device(config)# crypto key generate rsa label general-keys modulus 2048

Generates a RSA key pair for signing and encryption.
You can also assign a label to each key pair using the label keyword. The label is referenced by the trustpoint that uses the key pair. If you do not assign a label, the key pair is automatically labeled .
If you do not use additional keywords this command generates one general purpose RSA key pair. If the modulus is not specified, the default key modulus of 1024 is used. You can specify other modulus sizes with the modulus keyword.

Step 4

end Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 5

show authentication session interface interface-id Example:

Verifies the authorized session security status.

MACsec and the MACsec Key Agreement (MKA) Protocol 17

Configuring Enrollment using SCEP

MACsec and the MACsec Key Agreement (MKA) Protocol

Command or Action
Device# show authentication session interface gigabitethernet 0/1/1

Purpose

Configuring Enrollment using SCEP
Simple Certificate Enrollment Protocol (SCEP) is a Cisco-developed enrollment protocol that uses HTTP to communicate with the certificate authority (CA) or registration authority (RA). SCEP is the most commonly used method for sending and receiving requests and certificates.

Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8

Procedure

Command or Action enable Example:
Device> enable

Purpose Enables privileged EXEC mode. Enter your password, if prompted.

configure terminal Example:
Device# configure terminal

Enters global configuration mode.

crypto pki trustpoint server name Example:
Device(config)# crypto pki trustpoint ka

Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.

enrollment url url name pem
Example:
Device(ca-trustpoint)# enrollment url http://url:80

Specifies the URL of the CA on which your device should send certificate requests.
An IPv6 address can be added in the URL enclosed in brackets. For example: http:// [2001:DB8:1:1::1]:80.
The pem keyword adds privacy-enhanced mail (PEM) boundaries to the certificate request.

rsakeypair label

Specifies which key pair to associate with the certificate.

Example:

Note

Device(ca-trustpoint)# rsakeypair exampleCAkeys

The rsakeypair name must match the trust-point name.

serial-number none Example:
Device(ca-trustpoint)# serial-number none
ip-address none Example:
Device(ca-trustpoint)# ip-address none
revocation-check crl Example:

The none keyword specifies that a serial number will not be included in the certificate request.
The none keyword specifies that no IP address should be included in the certificate request.
Specifies CRL as the method to ensure that the certificate of a peer has not been revoked.

MACsec and the MACsec Key Agreement (MKA) Protocol 18

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring Enrollment Manually

Step 9
Step 10 Step 11 Step 12 Step 13

Command or Action
Device(ca-trustpoint)# revocation-check crl

Purpose

auto-enroll percent regenerate

Enables auto-enrollment, allowing the client to

Example:

automatically request a rollover certificate from the CA.

Device(ca-trustpoint)# auto-enroll 90 regenerate If auto-enrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate

expiration.

By default, only the Domain Name System (DNS) name of the device is included in the certificate.

Use the percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate is reached.

Use the regenerate keyword to generate a new key for the certificate even if a named key already exists.

If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint is exportable.”

It is recommended that a new key pair be generated for security reasons.

exit Example:
Device(ca-trustpoint)# exit

Exits ca-trustpoint configuration mode and returns to global configuration mode.

crypto pki authenticate name Example:
Device(config)# crypto pki authenticate myca

Retrieves the CA certificate and authenticates it.

end Example:
Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

show crypto pki certificate trustpoint name Example:
Device# show crypto pki certificate ka

Displays information about the certificate for the trust point.

Configuring Enrollment Manually
If your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform the following task to set up manual certificate enrollment:

MACsec and the MACsec Key Agreement (MKA) Protocol 19

Configuring Enrollment Manually

MACsec and the MACsec Key Agreement (MKA) Protocol

Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10

Procedure

Command or Action enable Example:
Device> enable

Purpose Enables privileged EXEC mode. Enter your password, if prompted.

configure terminal Example:
Device# configure terminal

Enters global configuration mode.

crypto pki trustpoint server name Example:
Device# crypto pki trustpoint ka

Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.

enrollment url url-name
Example:
Device(ca-trustpoint)# enrollment url http://url:80

Specifies the URL of the CA on which your device should send certificate requests.
An IPv6 address can be added in the URL enclosed in brackets. For example: http:// [2001:DB8:1:1::1]:80.
The pem keyword adds privacy-enhanced mail (PEM) boundaries to the certificate request.

rsakeypair label

Specifies which key pair to associate with the certificate.

Example:
Device(ca-trustpoint)# rsakeypair exampleCAkeys

serial-number none Example:
Device(ca-trustpoint)# serial-number none

Specifies that serial numbers will not be included in the certificate request.

ip-address none Example:
Device(ca-trustpoint)# ip-address none

The none keyword specifies that no IP address should be included in the certificate request.

revocation-check crl Example:
Device(ca-trustpoint)# revocation-check crl

Specifies CRL as the method to ensure that the certificate of a peer has not been revoked.

exit Example:
Device(ca-trustpoint)# exit

Exits ca-trustpoint configuration mode and returns to global configuration mode.

crypto pki authenticate name Example:
Device(config)# crypto pki authenticate myca

Retrieves the CA certificate and authenticates it.

MACsec and the MACsec Key Agreement (MKA) Protocol 20

MACsec and the MACsec Key Agreement (MKA) Protocol

Enabling 802.1x Authentication and Configuring AAA

Step 11 Step 12
Step 13 Step 14

Command or Action crypto pki enroll name Example:
Device(config)# crypto pki enroll myca

Purpose
Generates certificate request and displays the request for copying and pasting into the certificate server.
Enter enrollment information when you are prompted. For example, specify whether to include the device FQDN and IP address in the certificate request.
You are also given the choice about displaying the certificate request to the console terminal.
The base-64 encoded certificate with or without PEM headers as requested is displayed.

crypto pki import name certificate

Imports a certificate via TFTP at the console terminal,

Example:

which retrieves the granted certificate.

Device(config)# crypto pki import myca certificate The device attempts to retrieve the granted certificate via TFTP using the same filename used to send the request,

except the extension is changed from “.req” to “.crt”. For

usage key certificates, the extensions “-sign.crt” and

“-encr.crt” are used.

The device parses the received files, verifies the certificates, and inserts the certificates into the internal certificate database on the switch.

Note

Some CAs ignore the usage key information

in the certificate request and issue general

purpose usage certificates. If your CA ignores

the usage key information in the certificate

request, only import the general purpose

certificate. The router will not use one of the

two key pairs generated.

end Example:
Device(config)# end
show crypto pki certificate trustpoint name Example:
Device# show crypto pki certificate ka

Exits global configuration mode and returns to privileged EXEC mode.
Displays information about the certificate for the trust point.

Enabling 802.1x Authentication and Configuring AAA

SUMMARY STEPS

1. enable 2. configure terminal 3. aaa new-model 4. dot1x system-auth-control

MACsec and the MACsec Key Agreement (MKA) Protocol 21

Enabling 802.1x Authentication and Configuring AAA

MACsec and the MACsec Key Agreement (MKA) Protocol

5. radius server name 6. address ip-address auth-port port-number acct-port port-number 7. automate-tester username username 8. key string 9. radius- server deadtime minutes 10. exit 11. aaa group server radius group-name 12. server name 13. exit 14. aaa authentication dot1x default group group-name 15. aaa authorization network default group group-name

DETAILED STEPS

Step 1

Command or Action enable Example:
Device> enable

Purpose Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal Example:
Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model Example:
Device(config)# aaa new-model

Enables AAA.

Step 4

dot1x system-auth-control Example:
Device(config)# dot1x system-auth-control

Enables 802.1X on your device.

Step 5

radius server name Example:
Device(config)# radius server ISE

Specifies the name of the RADIUS server configuration for Protected Access Credential (PAC) provisioning and enters RADIUS server configuration mode.

Step 6

address ip-address auth-port port-number acct-port port-number

Configures the IPv4 address for the RADIUS server accounting and authentication parameters.

Example:
Device(config-radius-server)# address ipv4 auth-port 1645 acct-port 1646

Step 7

automate-tester username username
Example:
Device(config-radius-server)# automate-tester username dummy

Enables the automated testing feature for the RADIUS server.
With this practice, the device sends periodic test authentication messages to the RADIUS server. It looks for a RADIUS response from the server. A success

MACsec and the MACsec Key Agreement (MKA) Protocol 22

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring Switch-to-Switch MACsec Encryption

Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15

Command or Action

Purpose
message is not necessary – a failed authentication suffices, because it shows that the server is alive.

key string Example:
Device(config-radius-server)# key dummy123

Configures the authentication and encryption key for all RADIUS communications between the device and the RADIUS server.

radius-server deadtime minutes
Example:
Device(config-radius-server)# radius-server deadtime 2

Improves RADIUS response time when some servers might be unavailable and skips unavailable servers immediately.

exit Example:
Device(config-radius-server)# exit

Returns to global configuration mode.

aaa group server radius group-name Example:
Device(config)# aaa group server radius ISEGRP

Groups different RADIUS server hosts into distinct lists and distinct methods, and enters server group configuration mode.

server name Example:
Device(config-sg)# server name ISE

Assigns the RADIUS server name.

exit Example:
Device(config-sg)# exit

Returns to global configuration mode.

aaa authentication dot1x default group group-name Example:

Sets the default authentication server group for IEEE 802.1x.

Device(config)# aaa authentication dot1x default group ISEGRP

aaa authorization network default group group-name Example:
aaa authorization network default group ISEGRP

Sets the network authorization default group.

Configuring Switch-to-Switch MACsec Encryption
To apply MACsec MKA using certificate-based MACsec encryption to interfaces, perform the following task:

Step 1

Procedure Command or Action enable

Purpose Enables privileged EXEC mode.

MACsec and the MACsec Key Agreement (MKA) Protocol 23

Configuring Switch-to-Switch MACsec Encryption

MACsec and the MACsec Key Agreement (MKA) Protocol

Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11

Command or Action Example:
Device> enable

Purpose Enter your password, if prompted.

configure terminal Example:
Device# configure terminal

Enters global configuration mode.

interface interface-id Example:
Device(config)# interface gigabitethernet 2/9

Identifies the MACsec interface, and enter interface configuration mode. The interface must be a physical interface.

macsec network-link Example:
Device(config-if)# macsec network-link

Enables MACsec on the interface.

authentication periodic Example:
Device(config-if)# authentication periodic

(Optional) Enables reauthentication for this port.

authentication timer reauthenticate interval
Example:
Device(config-if)# authentication timer reauthenticate interval

(Optional) Sets the reauthentication interval.

access-session host-mode multi-host
Example:
Device(config-if)# access-session host-mode multi-host

Allows hosts to gain access to the interface.

access-session closed Example:
Device(config-if)# access-session closed

Prevents preauthentication access on the interface.

access-session port-control auto
Example:
Device(config-if)# access-session port-control auto

Sets the authorization state of a port.

dot1x pae both Example:
Device(config-if)# dot1x pae both

Configures the port as an 802.1X port access entity (PAE) supplicant and authenticator.

dot1x credentials profile Example:
Device(config-if)# dot1x credentials profile

Assigns a 802.1x credentials profile to the interface.

MACsec and the MACsec Key Agreement (MKA) Protocol 24

MACsec and the MACsec Key Agreement (MKA) Protocol

Example: Switch-to-Switch Certificate Based MACsec

Step 12 Step 13 Step 14 Step 15

Command or Action end Example:
Device(config-if)# end

Purpose
Exits interface configuration mdoe and returns to privileged EXEC mode.

show macsec interface interface-id

Displays MACsec details for the interface.

Example:
Device# show macsec interface GigabitEthernet 2/9

show access-session interface interface-id details
Example:
Device# show access-session interface GigabitEthernet 2/9 details

Verifies successful dot1x authentication and authorization. This is the first thing to check. If dot1x authentication fails, then MKA will never start.

show mka session interface interface-id details

Displays detailed MKA session status.

Example:
Device# show mka session interface GigabitEthernet 2/9 details

Example: Switch-to-Switch Certificate Based MACsec
An example configuration of switch-to-switch certificate based MACsec is shown below.
configure terminal aaa new-model aaa local authentication default authorization default ! ! aaa authentication dot1x default group radius local aaa authorization exec default local aaa authorization network default group radius local aaa authorization auth-proxy default group radius aaa authorization credential-download default local aaa accounting identity default start-stop group radius ! ! aaa attribute list MUSTS
attribute type linksec-policy must-secure ! aaa attribute list macsec- dot1-credentials
attribute type linksec-policy must-secure ! aaa attribute list MUSTS_CA
attribute type linksec-policy must-secure ! aaa attribute list SHOULDS_CA
attribute type linksec-policy should-secure ! aaa attribute list mkadt_CA
attribute type linksec-policy must-secure ! aaa session-id common
username MUST aaa attribute list MUSTS_CA username MUSTS.mkadt.cisco.com

MACsec and the MACsec Key Agreement (MKA) Protocol 25

Configuring MKA/MACsec for Port Channel

MACsec and the MACsec Key Agreement (MKA) Protocol

crypto pki trustpoint demo enrollment terminal serial-number fqdn MUSTS.mkadt.cisco.com subject-name cn=MUSTS.mkadt.cisco.com,OU=CSG Security,O=Cisco Systems,L=Bengaluru,ST=KA,C=IN
subject-alt-name MUSTS.mkadt.cisco.com revocation-check none rsakeypair demo 2048 hash sha256
eap profile EAP_P method tls
pki-trustpoint demo
dot1x system-auth-control dot1x credentials MUSTS-CA
username MUST password 0 MUST_CA ! dot1x credentials MUSTS username MUSTS.mkadt.cisco.comcrypto pki authenticate demo
crypto pki authenticate crypto pki enroll demo crypto pki import demo certificate
policy-map type control subscriber MUSTS_1 event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x both event authentication-failure match-all 10 class always do-until-failure 10 terminate dot1x 20 authentication-restart 10 event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
interface GigabitEthernet2/9 switchport mode access macsec access-session host-mode multi-host access-session closed access-session port-control auto dot1x pae both dot1x authenticator eap profile EAP_P dot1x credentials MUSTS dot1x supplicant eap profile EAP_P service-policy type control subscriber MUSTS_1

Configuring MKA/MACsec for Port Channel

Configuring MKA/MACsec for Port Channel Using PSK

SUMMARY STEPS

1. configure terminal 2. interface interface-id 3. macsec

MACsec and the MACsec Key Agreement (MKA) Protocol 26

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring Port Channel Logical Interfaces for Layer 2 EtherChannels

4. mka policy policy-name 5. mka pre-shared-key key-chain key-chain-name 6. channel-group channel-group-number mode {active | passive } | {on } 7. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 interface interface-id

Step 3 macsec

Step 4 Step 5

mka policy policy-name mka pre-shared-key key-chain key-chain-name

Purpose Enter global configuration mode.

Enters interface configuration mode.

Enables MACsec on the interface. Supports layer 2 and layer 3 port channels.

Configures an MKA policy.

Configures an MKA pre-shared-key key-chain name.

Note

The MKA pre-shared key can be configured

on either physical interface or sub-interfaces

and not on both.

Step 6

channel-group channel-group-number mode {active | passive } | {on }

Configures the port in a channel group and sets the mode. The channel-number range is from 1 to 4096. The port channel associated with this channel group is automatically created if the port channel does not already exist.For mode, select one of the following keywords:
· on — Forces the port to channel without PAgP or LACP. In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
· active — Enables LACP only if a LACP device is detected. It places the port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
· passive — Enables LACP on the port and places it into a passive negotiating state in which the port responds to LACP packets that it receives, but does not start LACP packet negotiation.

Step 7 end

Returns to privileged EXEC mode.

Configuring Port Channel Logical Interfaces for Layer 2 EtherChannels
To create a port channel interface for a Layer 2 EtherChannel, perform this task:

MACsec and the MACsec Key Agreement (MKA) Protocol 27

Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels

MACsec and the MACsec Key Agreement (MKA) Protocol

SUMMARY STEPS

1. configure terminal 2. [no] interface port-channel channel-group-number 3. switchport 4. switchport mode {access | trunk } 5. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 [no] interface port-channel channel-group-number

Purpose Enter global configuration mode.

Creates the port channel interface.

Note

Use the no form of this command to delete the

port channel interface.

Step 3 switchport Step 4 switchport mode {access | trunk } Step 5 end

Switches an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration.
Assigns all ports as static-access ports in the same VLAN, or configure them as trunks.
Returns to privileged EXEC mode.

Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels
To create a port channel interface for a Layer 3 EtherChannel, perform this task:

SUMMARY STEPS

1. configure terminal 2. interface port-channel interface-id 3. no switchport 4. ip address ip-address subnet_mask 5. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 interface port-channel interface-id

Step 3 no switchport

Step 4 Step 5

ip address ip-address subnet_mask end

Purpose Enter global configuration mode. Enters interface configuration mode. Switches an interface that is in Layer 2 mode into Layer 3 mode for Layer 3 configuration. Assigns an IP address and subnet mask to the EtherChannel. Returns to privileged EXEC mode.

MACsec and the MACsec Key Agreement (MKA) Protocol 28

MACsec and the MACsec Key Agreement (MKA) Protocol

Example: Configuring MACsec MKA for Port Channel using PSK

Example: Configuring MACsec MKA for Port Channel using PSK

Etherchannel Mode — Static/On
The following is a sample configuration on Device 1 and Device 2 with EtherChannel Mode on.
key chain KC macsec key 1000 cryptographic-algorithm aes-128-cmac key-string FC8F5B10557C192F03F60198413D7D45 end
mka policy POLICY key-server priority 0 macsec-cipher-suite gcm-aes-128 confidentiality-offset 0 end
interface Te1/0/1 channel-group 2 mode on macsec mka policy POLICY mka pre- shared-key key-chain KC end
interface Te1/0/2 channel-group 2 mode on macsec mka policy POLICY mka pre- shared-key key-chain KC end
Layer 2 EtherChannel Configuration
Device 1
interface port-channel 2 switchport switchport mode trunk no shutdown end
Device 2
interface port-channel 2 switchport switchport mode trunk no shutdown end
The following shows a sample output of show etherchannel summary command.

Flags: D – down

P – bundled in port-channel

I – stand-alone s – suspended

H – Hot-standby (LACP only)

R – Layer3

S – Layer2

U – in use

f – failed to allocate aggregator

M – not in use, minimum links not met

MACsec and the MACsec Key Agreement (MKA) Protocol 29

Example: Configuring MACsec MKA for Port Channel using PSK

MACsec and the MACsec Key Agreement (MKA) Protocol

u – unsuitable for bundling w – waiting to be aggregated d – default port
A – formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators:

1

Group Port-channel Protocol Ports

——+————-+———–+———————————————–

2

Po2(RU)

–

Layer 3 EtherChannel Configuration

Device 1

Te1/0/1(P) Te1/0/2(P)

interface port-channel 2 no switchport ip address 10.25.25.3 255.255.255.0 no shutdown end
Device 2

interface port-channel 2 no switchport ip address 10.25.25.4 255.255.255.0 no shutdown end
The following shows a sample output of show etherchannel summary command.

Flags: D – down

P – bundled in port-channel

I – stand-alone s – suspended

H – Hot-standby (LACP only)

R – Layer3

S – Layer2

U – in use

f – failed to allocate aggregator

M – not in use, minimum links not met u – unsuitable for bundling w – waiting to be aggregated d – default port

A – formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators:

1

Group Port-channel Protocol Ports

MACsec and the MACsec Key Agreement (MKA) Protocol 30

MACsec and the MACsec Key Agreement (MKA) Protocol

Example: Configuring MACsec MKA for Port Channel using PSK

——+————-+———–+———————————————–

2

Po2(RU)

–

Te1/0/1(P) Te1/0/2(P)

Etherchannel Mode — LACP
The following is a sample configuration on Device 1 and Device 2 with EtherChannel Mode as LACP.
key chain KC macsec key 1000 cryptographic-algorithm aes-128-cmac key-string FC8F5B10557C192F03F60198413D7D45 end
mka policy POLICY key-server priority 0 macsec-cipher-suite gcm-aes-128 confidentiality-offset 0 end
interface Te1/0/1 channel-group 2 mode active macsec mka policy POLICY mka pre-shared-key key-chain KC end
interface Te1/0/2 channel-group 2 mode active macsec mka policy POLICY mka pre-shared-key key-chain KC end
Layer 2 EtherChannel Configuration
Device 1

interface port-channel 2 switchport switchport mode trunk no shutdown end
Device 2

interface port-channel 2 switchport switchport mode trunk no shutdown end

The following shows a sample output of show etherchannel summary command.

Flags: D – down

P – bundled in port-channel

I – stand-alone s – suspended

H – Hot-standby (LACP only)

R – Layer3

S – Layer2

U – in use

f – failed to allocate aggregator

MACsec and the MACsec Key Agreement (MKA) Protocol 31

Example: Configuring MACsec MKA for Port Channel using PSK

MACsec and the MACsec Key Agreement (MKA) Protocol

M – not in use, minimum links not met u – unsuitable for bundling w – waiting to be aggregated d – default port
A – formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators:

1

——+————-+———–+———————————————–

2

Po2(SU)

LACP

Layer 3 EtherChannel Configuration

Device 1

Te1/1/1(P) Te1/1/2(P)

interface port-channel 2 no switchport ip address 10.25.25.3 255.255.255.0 no shutdown end
Device 2

interface port-channel 2 no switchport ip address 10.25.25.4 255.255.255.0 no shut

The following shows a sample output of show etherchannel summary command.

Flags: D – down

P – bundled in port-channel

I – stand-alone s – suspended

H – Hot-standby (LACP only)

R – Layer3

S – Layer2

U – in use

f – failed to allocate aggregator

M – not in use, minimum links not met u – unsuitable for bundling w – waiting to be aggregated d – default port

A – formed by Auto LAG

Number of channel-groups in use: 1

Number of aggregators:

1

Group Port-channel Protocol Ports

MACsec and the MACsec Key Agreement (MKA) Protocol 32

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring MACsec Cipher Announcement

——+————-+———–+———————————————–

2

Po2(RU)

LACP

Te1/1/1(P) Te1/1/2(P)

Displaying Active MKA Sessions

The following shows all the active MKA sessions.

show mka sessions interface Te1/0/1

====================================================================================================

Interface

Local-TxSCI

Policy-Name

Inherited

Key-Server

Port-ID

Peer-RxSCI

MACsec-Peers

Status

CKN

====================================================================================================

Te1/0/1

00a3.d144.3364/0025 POLICY

NO

NO

37 1000

701f.539b.b0c6/0032 1

Secured

Configuring MACsec Cipher Announcement
Configuring an MKA Policy for Secure Announcement

SUMMARY STEPS

1. configure terminal 2. mka policy policy-name 3. key-server priority 4. [no] send-secure-announcements 5. macsec-cipher-suite {gcm-aes-128 | gcm- aes-256} 6. end 7. show mka policy

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 mka policy policy-name

Purpose
Enter global configuration mode.
Identify an MKA policy, and enter MKA policy configuration mode. The maximum policy name length is 16 characters.

MACsec and the MACsec Key Agreement (MKA) Protocol 33

Configuring Secure Announcement Globally (Across all the MKA Policies)

MACsec and the MACsec Key Agreement (MKA) Protocol

Command or Action

Step 3 key-server priority

Step 4 [no] send-secure-announcements

Step 5 macsec-cipher-suite {gcm-aes-128 | gcm-aes-256}

Step 6 Step 7

end show mka policy

Purpose Note

The default MACsec cipher suite in the MKA policy will always be “GCM- AES-128”. If the device supports both “GCM-AES-128” and “GCM-AES-256” ciphers, it is highly recommended to define and use a user defined MKA policy to include both 128 and 256 bits ciphers or only 256 bits cipher, as may be required.

Configure MKA key server options and set priority (between 0-255).

Note

When value of key server priority is set to 255,

the peer can not become the key server. The

key server priority value is valid only for

MKA PSK; and not for MKA EAPTLS.

Enables sending of secure announcements. Use the no form of the command to disable sending of secure announcements. By default, secure announcements are disabled.
Configures cipher suite for deriving SAK with 128-bit or 256-bit encryption.
Returns to privileged EXEC mode.
Verify your entries.

Configuring Secure Announcement Globally (Across all the MKA Policies)

SUMMARY STEPS

1. configure terminal 2. [no] mka defaults policy send-secure-announcements 3. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Purpose Enter global configuration mode.

Step 2

[no] mka defaults policy send-secure-announcements

Enables sending of secure announcements in MKPDUs across MKA policies. By default, secure announcements are disabled.

Step 3 end

Returns to privileged EXEC mode.

MACsec and the MACsec Key Agreement (MKA) Protocol 34

MACsec and the MACsec Key Agreement (MKA) Protocol

Configuring EAPoL Announcements on an interface

Configuring EAPoL Announcements on an interface

SUMMARY STEPS

1. configure terminal 2. interface interface-id 3. [no] eapol annoucement 4. end

DETAILED STEPS

Step 1

Command or Action configure terminal

Step 2 interface interface-id

Step 3 [no] eapol annoucement

Step 4 end

Purpose
Enter global configuration mode.
Identifies the MACsec interface, and enter interface configuration mode. The interface must be a physical interface.
Enable EAPoL announcements. Use the no form of the command to disable EAPoL announcements. By default,EAPoL announcements are disabled.
Returns to privileged EXEC mode.

Examples: Configuring MACsec Cipher Announcement
This example shows how to configure MKA policy for Secure Announcement:

configure terminal (config)# mka policy mka_policy (config-mka-policy)# key-

server 2 (config-mka-policy)# send-secure-announcements (config-mka-policy )#macsec-cipher-suite gcm-aes-128confidentiality-offset 0 (config-mka-policy)# end
This example shows how to configure Secure Announcement globally:

configure terminal (config)# mka defaults policy send-secure-announcements

(config)# end
This example shows how to configure EAPoL Announcements on an interface:

configure terminal (config)# interface GigabitEthernet 1/0/1 (config-if)

eapol announcement (config-if)# end
The following is a sample output for show running-config interface interface- name command with EAPoL announcement enabled.

show running-config interface GigabitEthernet 1/0/1

switchport mode access macsec access-session host-mode multi-host access- session closed

MACsec and the MACsec Key Agreement (MKA) Protocol 35

Examples: Configuring MACsec Cipher Announcement

MACsec and the MACsec Key Agreement (MKA) Protocol

access-session port-control auto dot1x pae authenticator dot1x timeout quiet- period 10 dot1x timeout tx-period 5 dot1x timeout supp-timeout 10 dot1x supplicant eap profile peap eapol announcement spanning-tree portfast service- policy type control subscriber Dot1X
The following is a sample output of the show mka sessions interface interface- name detail command with secure announcement disabled.

show mka sessions interface GigabitEthernet 1/0/1 detail

MKA Detailed Status for MKA Session =================================== Status: SECURED – Secured MKA Session with MACsec
Local Tx-SCI…………. 204c.9e85.ede4/002b Interface MAC Address…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 Member Identifier (MI)… D46CBEC05D5D67594543CEAE Message Number (MN)…… 89567 EAP Role…………….. NA Key Server…………… YES MKA Cipher Suite……… AES-128-CMAC
Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN…………… 0 Old SAK KI (KN)………. FIRST-SAK (0)
SAK Transmit Wait Time… 0s (Not waiting for any peers to respond) SAK Retire Time………. 0s (No Old SAK to retire)
MKA Policy Name………. p2 Key Server Priority…… 2 Delay Protection……… NO Replay Protection…….. YES Replay Window Size……. 0 Confidentiality Offset… 0 Algorithm Agility…….. 80C201 Send Secure Announcement.. DISABLED SAK Cipher Suite……… 0080C20001000001 (GCM-AES-128) MACsec Capability…….. 3 (MACsec Integrity, Confidentiality, & Offset)

MACsec and the MACsec Key Agreement (MKA) Protocol 36

MACsec and the MACsec Key Agreement (MKA) Protocol

Examples: Configuring MACsec Cipher Announcement

MACsec Desired……….. YES

of MACsec Capable Live Peers………… 1 # of MACsec Capable Live Peers

Responded.. 1

Live Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

38046BA37D7DA77E06D006A9 89555

c800.8459.e764/002a 10

Potential Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

Dormant Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

The following is a sample output of the show mka sessions details command with secure announcement disabled.

show mka sessions details

MKA Detailed Status for MKA Session =================================== Status: SECURED – Secured MKA Session with MACsec

Local Tx-SCI…………. 204c.9e85.ede4/002b Interface MAC Address…. 204c.9e85.ede4 MKA Port Identifier…… 43 Interface Name……….. GigabitEthernet1/0/1 Audit Session ID……… CAK Name (CKN)……….. 0100000000000000000000000000000000000000000000000000000000000000 Member Identifier (MI)… D46CBEC05D5D67594543CEAE Message Number (MN)…… 89572 EAP Role…………….. NA Key Server…………… YES MKA Cipher Suite……… AES-128-CMAC

Latest SAK Status…….. Rx & Tx Latest SAK AN………… 0 Latest SAK KI (KN)……. D46CBEC05D5D67594543CEAE00000001 (1) Old SAK Status……….. FIRST-SAK Old SAK AN…………… 0 Old SAK KI (KN)………. FIRST-SAK (0)

SAK Transmit Wait Time… 0s (Not waiting for any peers to respond) SAK Retire Time………. 0s (No Old SAK to retire)

MKA Policy Name………. p2 Key Server Priority…… 2 Delay Protection……… NO Replay Protection…….. YES

MACsec and the MACsec Key Agreement (MKA) Protocol 37

Examples: Configuring MACsec Cipher Announcement

MACsec and the MACsec Key Agreement (MKA) Protocol

Replay Window Size……. 0 Confidentiality Offset… 0 Algorithm Agility…….. 80C201 Send Secure Announcement.. DISABLED SAK Cipher Suite……… 0080C20001000001 (GCM- AES-128) MACsec Capability…….. 3 (MACsec Integrity, Confidentiality, & Offset) MACsec Desired……….. YES

of MACsec Capable Live Peers………… 1 # of MACsec Capable Live Peers

Responded.. 1

Live Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

38046BA37D7DA77E06D006A9 89560

c800.8459.e764/002a 10

Potential Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

Dormant Peers List:

MI

MN

Rx-SCI (Peer)

KS Priority

———————————————————————-

The following is a sample output of the show mka policy policy-name detail command with secure announcement disabled.

show mka policy p2 detail

MKA Policy Configuration (“p2”) ======================== MKA Policy Name…….. p2 Key Server Priority…. 2 Confidentiality Offset. 0 Send Secure Announcement..DISABLED Cipher Suite(s)…….. GCM-AES-128

Applied Interfaces… GigabitEthernet1/0/1

MACsec and the MACsec Key Agreement (MKA) Protocol 38

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>