This document provides a configuration example for Media Access Control Security (MACsec) encryption between an 802.1x supplicant (Cisco AnyConnect Mobile Security) and an authenticator (switch). Cisco Identity Services Engines (ISE) is used as authentication and policy server.
MACsec is standardized in 802.1AE and supported on Cisco 3750X, 3560X, and 4500 SUP7E switches. 802.1AE defines link encryption over wired networks that use out-of-band keys. Those encryption keys are negotiated with the MACsec Key Agreement (MKA) protocol which is utilized after successful 802.1x authentication. MKA is standardized in IEEE 802.1X-2010.
A packet is encrypted only on the link between the PC and the switch (point-to-point encryption). The packet received by the switch is decrypted and sent via uplinks unencrypted. In order to encrypt transmission between the switches, switch-switch encryption is recommended. For that encryption, Security Association Protocol (SAP) is used to negotiate and regenerate keys. SAP is a prestandard key agreement protocol developed by Cisco.
Cisco recommends that you have knowledge of these topics:
Basic knowledge of 802.1x configuration
Basic knowledge of CLI configuration of Catalyst switches
Experience with ISE configuration
The information in this document is based on these software and hardware versions:
Microsoft Windows 7 and Microsoft Windows XP operating systems
Cisco 3750X Software, Version 15.0 and later
Cisco ISE Software, Version 1.1.4 and later
Cisco AnyConnect Mobile Security with Network Access Manager (NAM), Version 3.1 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Network Diagram and Traffic Flow
Step 1. The supplicant (AnyConnect NAM) starts the 802.1x session. The switch is the authenticator and the ISE is the authentication server. Extensible Authentication Protocol over LAN (EAPOL) protocol is used as a transport for EAP between the supplicant and the switch. RADIUS is used as a transport protocol for EAP between the switch and the ISE. MAC Authentication Bypass (MAB) cannot be used, because EAPOL keys need to be returned from ISE and used for the MACsec Key Agreement (MKA) session.
Step 2. After the 802.1x session is complete, the switch initiates an MKA session with EAPOL as a transport protocol. If the supplicant is configured correctly, the keys for symmetric 128-bit AES-GCM (Galois/Counter Mode) encryption match.
Step 3. All subsequent packets between the supplicant and the switch are encrypted (802.1AE encapsulation).
The ISE configuration involves a typical 802.1x scenario with an exception to the Authorization Profile which might include encryption policies.
Choose Administration > Network Resources > Network Devices in order to add the switch as a network device. Enter a RADIUS preshared key (Shared Secret).
The default authentication rule can be used (for users defined locally on ISE).
Choose Administration > Identity Management > Users in order to define the user "cisco" locally.
The Authorization profile might include encryption policies. As shown in this example, choose Policy > Results > Authorization Profiles in order to view the information ISE returns to the switch that link encryption is mandatory. Also, the VLAN number (10) has been configured.
Choose Policy > Authorization in order to use the authorization profile in the authorization rule. This example returns the configured profile for user "cisco". If 802.1x is successful, ISE returns Radius-Accept to the switch with Cisco AVPair linksec-policy=must-secure. That attribute forces the switch to initiate an MKA session. If that session fails, 802.1x authorization on the switch also fails.
Typical 802.1x port settings include (top portion shown):
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius
aaa group server radius ISE server name ISE
interface GigabitEthernet1/0/2 description windows7 switchport mode access authentication order dot1x authentication port-control auto dot1x pae authenticator
radius server ISE address ipv4 10.48.66.74 auth-port 1645 acct-port 1646 timeout 5 retransmit 2 key cisco
The local MKA policy is created and applied to the interface. Also, MACsec is enabled on the interface.
On AnyConnect, the statistics indicate encryption usage and packet statistics.
This section provides information you can use to troubleshoot your configuration.
Debugs for a Working Scenario
Enable debugs on the switch (some output has been omitted for clarity).
debug macsec event debug macsec error debug epm all debug dot1x all debug radius debug radius verbose
After an 802.1x session is established, multiple EAP packets are exchanged over EAPOL. The last successful response from ISE (EAP success) carried inside Radius-Acccept also includes several Radius attributes.
RADIUS: Received from id 1645/40 10.48.66.74:1645, Access-Accept, len 376 RADIUS: EAP-Key-Name  67 * RADIUS: Vendor, Cisco  34 RADIUS: Cisco AVpair  28 "linksec-policy=must-secure" RADIUS: Vendor, Microsoft  58 RADIUS: MS-MPPE-Send-Key  52 * RADIUS: Vendor, Microsoft  58 RADIUS: MS-MPPE-Recv-Key  52 *
EAP-Key-Name is used for the MKA session. The linksec-policy forces the switch to use MACsec (authorization fails if that is not complete). Those attributes can be also verified in the packet captures.
Authentication is successful.
%DOT1X-5-SUCCESS: Authentication successful for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D56FD55B3BF %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D56FD55B3BF
The switch applies the attributes (these include an optional VLAN number which has also been sent).
%AUTHMGR-5-VLANASSIGN: VLAN 10 assigned to Interface Gi1/0/2 AuditSessionID C0A8000100000D56FD55B3BF
The switch then starts the MKA session when it sends and receives EAPOL packets.
%MKA-5-SESSION_START: (Gi1/0/2 : 2) MKA Session started for RxSCI 0050.5699.36ce/0000, AuditSessionID C0A8000100000D56FD55B3BF, AuthMgr-Handle 97000D57 dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx EAPOL pak dump rx dot1x-packet(Gi1/0/2): Received an EAPOL frame dot1x-packet(Gi1/0/2): Received an MKA packet
After 4 packet exchange secure identifiers are created along with the Receive (RX) security association.
HULC-MACsec: MAC: 0050.5699.36ce, Vlan: 10, Domain: DATA HULC-MACsec: Process create TxSC i/f GigabitEthernet1/0/2 SCI BC166525A5020002 HULC-MACsec: Process create RxSC i/f GigabitEthernet1/0/2 SCI 50569936CE0000 HULC-MACsec: Process install RxSA request79F6630 for interface GigabitEthernet1/0/2
The session is finished and the Transmit (TX) security association is added.
%MKA-5-SESSION_SECURED: (Gi1/0/2 : 2) MKA Session was secured for RxSCI 0050.5699.36ce/0000, AuditSessionID C0A8000100000D56FD55B3BF, CKN A2BDC3BE967584515298F3F1B8A9CC13 HULC-MACsec: Process install TxSA request66B4EEC for interface GigabitEthernet1/0/
The policy "must-secure" is matched and authorization is successful.
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D56FD55B3BF
Every 2 seconds MKA Hello packets are exchanged in order to ensure that all participants are alive.
dot1x-ev(Gi1/0/2): Received TX PDU (5) for the client 0x6E0001EC (0050.5699.36ce) dot1x-packet(Gi1/0/2): MKA length: 0x0084 data: ^A dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address EAPOL pak dump Tx
Debugs for a Failing Scenario
When the supplicant is not configured for MKA and the ISE requests encryption after a successful 802.1x authentication:
RADIUS: Received from id 1645/224 10.48.66.74:1645, Access-Accept, len 342 %DOT1X-5-SUCCESS: Authentication successful for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D55FD4D7529 %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D55FD4D7529
The switch tries to initiate an MKA session when it sends 5 EAPOL packets.
%MKA-5-SESSION_START: (Gi1/0/2 : 2) MKA Session started for RxSCI 0050.5699.36ce/0000, AuditSessionID C0A8000100000D55FD4D7529, AuthMgr-Handle A4000D56 dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx dot1x-ev(Gi1/0/2): Sending out EAPOL packet EAPOL pak dump Tx
And finally times out and fails authorization.
%MKA-4-KEEPALIVE_TIMEOUT: (Gi1/0/2 : 2) Peer has stopped sending MKPDUs for RxSCI 0050.5699.36ce/0000, AuditSessionID C0A8000100000D55FD4D7529, CKN F8288CDF7FA56386524DD17F1B62F3BA %MKA-4-SESSION_UNSECURED: (Gi1/0/2 : 2) MKA Session was stopped by MKA and not secured for RxSCI 0050.5699.36ce/0000, AuditSessionID C0A8000100000D55FD4D7529, CKN F8288CDF7FA56386524DD17F1B62F3BA %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0050.5699.36ce) on Interface Gi1/0/2 AuditSessionID C0A8000100000D55FD4D7529
The 802.1x session reports successful authentication, but failed authorization.
bsns-3750-5#show authentication sessions int g1/0/2 Interface: GigabitEthernet1/0/2 MAC Address: 0050.5699.36ce IP Address: 192.168.1.201 User-Name: cisco Status: Authz Failed Domain: DATA Security Policy: Must Secure Security Status: Unsecure Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: C0A8000100000D55FD4D7529 Acct Session ID: 0x00011CA0 Handle: 0xA4000D56
Runnable methods list: Method State dot1x Authc Success
Data traffic will be blocked.
When traffic is captured on the supplicant site 4 Internet Control Message Protocol (ICMP) echo requests/replies are sent and received, there will be:
4 encrypted ICMP echo requests sent to the switch (88e5 is reserved for 802.1AE)
4 decrypted ICMP echo replies received
That is because of how AnyConnect hooks on Windows API (before libpcap when packets are sent and before libpcap when packets are received):
Note: The ability to sniff MKA or 802.1AE traffic on the switch with features such as Switched Port Analyzer (SPAN) or Embedded Packet Capture (EPC) is not supported.
MACsec and 802.1x Modes
Not all 802.1x modes are supported for MACsec.
The Cisco TrustSec 3.0 How-To Guide: Introduction to MACsec and NDAC states that:
Single-Host Mode: MACsec is fully supported in single-host mode. In this mode, only a single MAC or IP address can be authenticated and secured with MACsec. If a different MAC address is detected on the port after an endpoint has authenticated, a security violation will be triggered on the port.
Multi-Domain Authentication (MDA) Mode: In this mode, one endpoint may be on the data domain and another endpoint may be on the voice domain. MACsec is fully supported in MDA mode. If both endpoints are MACsec-capable, each will be secured by its own independent MACsec session. If only one endpoint is MACsec-capable, that endpoint can be secured while the other endpoint sends traffic in the clear.
Multi-Authentication Mode: In this mode, a virtually unlimited number of endpoints may be authenticated to a single switch port. MACsec is not supported in this mode.
Multi-Host Mode: While MACsec usage in this mode is technically possible, it is not recommended. In Multi-Host Mode, the first endpoint on the port authenticates, and then any additional endpoints will be permitted onto the network via the first authorization. MACsec would work with the first connected host, but no other endpoint’s traffic would actually pass, since it would not be encrypted traffic.