463
Figure 140 MACsec interactive process in client-oriented mode
The following shows the MACsec process:
1. After the client passes 802.1X authentication, the RADIUS server distributes the generated
CAK-related parameters to the client and the access device.
2. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets.
The client and the access device exchange the MACsec capability and required parameters for
session establishment. The parameters include MKA key server priority and MACsec desire.
During the negotiation process, the access device automatically becomes the key server. The
key server generates an SAK from the CAK for packet encryption, and it distributes the SAK to
the client.
3. The client and the access device use the SAK to encrypt packets, and they send and receive
the encrypted packets in secure channels.
4. When the access device receives a logoff request from the client, it immediately removes the
associated secure session from the port. The remove operation prevents an unauthorized client
from using the secure session established by the previous authorized client to access the
network.
The MKA protocol also defines a session keepalive timer. If one participant does not receive any
MKA packets from the peer after the timer expires, the participant removes the established secure
session. The keepalive time is 6 seconds.
EAPOL
RADIUS
EAPOL-Start
EAP-Request
/
Identity
EAP-
Response /
Identity
EAP-Success
EAPOL-MKA: key server
.......
Client
Device
Authentication server
RADIUS Access-Request
RADIUS Access-Accept
Identity
authentication
EAPOL-
MKA: MACsec capable
EAPOL-MKA: key name, SAK
EAPOL-MKA: SAK installed
Session
negotiation
M
K
A
Secure
communication
M
A
C
s
e
c
8
0
2
.
1
X
Secured frames
To Next Page
Loading...
Need help?
General