48-11
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 48 Configuring MACsec Encryption
Understanding MKA MACsec with EAP-TLS
Switch# show key chain k1
Key-chain k1:
MacSEC key chain
key 01 — text "c890433a1e05ef42d723a6b58af8fdbf7a25f42b3cda6a5eeb5ae4bf3a0a679f"
lifetime (00:00:00 UTC Oct 29 2014) - (12:10:00 UTC Oct 29 2014)
key 02 — text "14d9167d538819405c0ff78c655141ed4b3c7242562c0fb0f7a56f780bf29e52"
lifetime (12:00:00 UTC Oct 29 2014) - (18:05:00 UTC Oct 29 2014)
key 03 — text "88d971cb19d9f2598ad76edc562ade2e7e91e3ed70524f5c3c4d8d9599d0670e"
lifetime (18:00:00 UTC Oct 29 2014) - (18:10:00 UTC Oct 29 2014)
key 04 — text "75474bce819b49ad7e5bd06236bc0c944c69892f71e942e2f9812b7d3a7b2a5f"
lifetime (18:10:00 UTC Oct 29 2014) - (infinite)
!In this case, Key 01, 02, 03 have overlapping time, but not key 04. Here is the sequence,
how this works:
@00:00:00 - A new MKA session is Secured with key 01
@12:00:00 - CAK Rekey triggers with key 02 and upon success goes to Secured state
@18:00:00 - CAK Rekey triggers with key 03 and upon success goes to Secured state
@18:10:00 - Key 03 dies, hence MKA sesion using this key is brought down
@18:10:00 - Key 04 becomes active and a new MKA session is triggered with this key. Upon
success, session will be Secured and UP for infinite time.
Understanding MKA MACsec with EAP-TLS
Beginning in Cisco IOS XE Release 3.9.0E, MKA MACsec is supported on switch-to-switch links on
Cisco Catalyst 4500-X series switches and Cisco Catalyst 4500-E series switches with Supervisor
Engine 8-E.
Using IEEE 802.1X Port-based Authentication with Extensible Authentication Protocol (EAP-TLS),
you can configure MKA MACsec between device uplink ports. EAP-TLS allows mutual authentication
and obtains an MSK (master session key) from which the connectivity association key (CAK) is derived
for MKA operations. Device certificates are carried, using EAP-TLS, for authentication to the AAA
server.
Note MKA MACsec is not supported on multi-point to multi-point links.
Prerequisites for MKA MACsec with EAP-TLS
• Ensure that you have a Certificate Authority (CA) server configured for your network.
• Generate a CA certificate.
• We recommend that you configure Cisco Identity Services Engine (ISE) Release 2.0.
• Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE)
are synchronized using Network Time Protocol (NTP).
• Ensure that 802.1x authentication and AAA are configured on your device.
Limitations for MKA MACsec with EAP-TLS
• MKA is not supported on port-channels.
• MKA is not supported with High Availability and local authentication.
To Next Page
Loading...
