7
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Enable MACsec desire.
macsec desire
By default, the port does not
expect MACsec protection for
outbound frames.
Configuring a preshared key
In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation.
To successfully establish an MKA session between two devices, make sure the connected MACsec
ports are configured with the same preshared key.
A user-configured preshared key has higher priority than the 802.1X-generated CAK. To ensure a
successful MKA session establishment, do not configure a preshared key in client-oriented mode.
To configure a preshared key:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Set a preshared key.
mka psk ckn
name
cak simple
string
By default, no MKA preshared key
exists.
The MACsec cipher suite
supported by the device requires
that the CKN and CAK each must
be 32 characters long. If the
configured CKN or CAK is not 32
characters long, the system
performs the following operations
when it runs the cipher suite:
• Automatically increases the
length of the CKN or CAK by
zero padding if the CKN or
CAK contains less than 32
characters.
• Uses only the first 32
characters if the CKN or CAK
contains more than 32
characters.
Configuring the MKA key server priority
Configure an MKA key server priority for key server selection. The lower the priority value, the higher
the priority.
In client-oriented mode, the access device port automatically becomes the key server. You do not
have to configure the MKA key server priority.
In device-oriented mode, the port that has higher priority becomes the key server. If a port and its
peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the
To Next Page
Loading...
Need help?
General