11-31
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication
The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify
the client. The ID appears automatically. No configuration is required.
Understanding Media Access Control Security and MACsec Key Agreement
Media Access Control Security (MACsec), defined in 802.1AE, provides MAC-layer encryption over
wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement
(MKA) Protocol provides the required session keys and manages the required encryption keys. MKA
and MACsec are implemented after successful using the 802.1x Extensible Authentication Protocol
(EAP) framework. On the Catalyst 3750-X and 3560-X switches running Cisco IOS Release
12.2(53)SE2, only host facing links (links between network access devices and endpoint devices such as
a PC or IP phone) can be secured using MACsec.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy
associated with the client. MACsec frames are encrypted and protected with an integrity check value
(ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV
by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If
they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent
over the secured port (the access point used to provide the secure MAC service to a client) using the
current session key.
The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic
requirements of MKA are defined in 802.1x-REV. The MKA Protocol extends 802.1x to allow peer
discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data
exchanged by the peers.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP
authentication produces a master session key (MSK) shared by both partners in the data exchange.
Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the
switch is the authenticator, it is also the key server, generating a random 128-bit secure association key
(SAK), which it sends it to the client partner. The client is never a key server and can only interact with
a single MKA entity, the key server. After key derivation and generation, the switch sends periodic
transports to the partner at a default interval of 2 seconds.
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement
PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes
with no MKPDU received from a participant. For example, if a client disconnects, the participant on the
switch continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from
the client.
These sections provide more details:
MKA Policies, page 11-32
Virtual Ports, page 11-32
MACsec and Stacking, page 11-32
MACsec, MKA and 802.1x Host Modes, page 11-33
MKA Statistics, page 11-34