MACsec encryption using EAP-TLS authentication

This chapter provides step-by-step guidance on configuring MACsec encryption using EAP-TLS authentication on the routers. It covers how the process works, key roles and components involved, best practice guidelines, configuration procedures, and verification commands to ensure secure, certificate-based Ethernet traffic encryption.

MACsec encryption using EAP-TLS authentication

MACsec encryption using EAP-TLS authentication is a Ethernet traffic securing method that

  • provides Media Access Control Security (MACsec) encryption between two routers using IEEE 802.1X port-based authentication,

  • enables mutual authentication between the authentication server and client with Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) certificates, and

  • derives the Master Session Key (MSK), Connectivity Association Key (CAK), and Connectivity Association Key Name (CKN) from the EAP-TLS authentication process for establishing MACsec encryption.

IEEE 802.1X device roles

The devices in the network play specific roles during IEEE 802.1X authentication.

  • Supplicant: An entity at one end of a point-to-point LAN segment that seeks authentication by an Authenticator attached to the other end of that link.

  • Authenticator: An entity that facilitates authentication of other entities attached to the same LAN.

  • Authentication server: An entity that provides an authentication service to an Authenticator. The service determines whether the Supplicant is authorized to access system services where the Authenticator resides by evaluating the credentials provided by the Supplicant.

How MACsec encryption using EAP-TLS authentication works

MACsec encryption using EAP-TLS authentication establishes secure communication between routers by leveraging certificate-based mutual authentication to derive keys for MACsec encryption.

Summary

The key components involved in the process are:

  • Routers (authenticator/supplicant): Systems that perform MACsec encryption and participate in 802.1X authentication, acting as either the authenticator (facilitates authentication) or the supplicant (seeks authentication).

  • Authentication server (RADIUS/Cisco ISE/ACS): An entity that provides authentication services to an authenticator, verifying supplicant credentials and facilitating EAP-TLS communication.

  • Certificate Authority (CA) server: Issues and manages digital certificates used for mutual authentication in EAP-TLS.

  • EAP-TLS (Extensible Authentication Protocol-Transport Layer Security): The authentication method used for mutual authentication between the authentication server and the client (supplicant) using certificates.

  • Master Session Key (MSK): A cryptographic key generated upon successful EAP-TLS authentication.

  • Connectivity Association Key (CAK): Derived from the MSK, this key is used by the MACsec Key Agreement (MKA) protocol.

  • Connectivity Association Key Name (CKN): Derived from the EAP session ID, this name identifies the CAK.

Workflow

These stages describe how MACsec encryption using EAP-TLS authentication works:

  1. Initiation: A supplicant router initiates 802.1X port-based authentication on a physical Ethernet interface with an authenticator router.
  2. EAP message exchange: The authenticator router forwards EAP messages between the supplicant and the configured external authentication server (e.g., RADIUS) using EAP as the transport.
  3. Mutual authentication (EAP-TLS): The authentication server and the supplicant router perform mutual authentication using digital certificates via the EAP-TLS method. This requires both devices to have valid certificates issued by a trusted Certificate Authority.
  4. Master session key generation: Upon successful EAP-TLS authentication, a Master Session Key (MSK) is generated.
  5. Key derivation: The MSK is then used to derive the Connectivity Association Key (CAK), and the Connectivity Association Key Name (CKN) is derived from the EAP session ID.
  6. MACsec Key Agreement (MKA): The derived CAK and CKN are utilized by the MKA protocol to establish and maintain secure MACsec encryption between the routers on the interface.

Result

This process enables robust MACsec encryption between two routers, ensuring data confidentiality and integrity on Ethernet interfaces through secure, certificate-based authentication and automated key management.

Guidelines for MACsec encryption using EAP-TLS authentication

  • Ensure that you use 802.1X only on physical Ethernet interfaces when configuring EAP-TLS authentication.

  • Use 802.1X port-based authentication exclusively to derive keys for MACsec Key Agreement (MKA). The authentication process does not perform port control functions.

  • Configure the router in the Authenticator or Supplicant Port Access Entity (PAE) role. The router supports both roles.

  • As an authenticator, ensure that remote EAP authentication uses RADIUS as the EAP transport.

  • The router supports EAP-TLS authentication in single-host mode only, as it does not support multi-host mode.

Configure MACsec encryption using EAP-TLS authentication

Securely authenticate 802.1X clients and enable MACsec encryption on the router using EAP-TLS.

This task enables the router to authenticate 802.1X clients with EAP-TLS, providing mutual authentication and generating a Master Session Key (MSK) for secure communication.

Before you begin

  • Ensure a Certificate Authority (CA) server is configured for the network.

  • Verify the configured CA certificate is valid.

  • Confirm that Cisco Identity Services Engine (ISE) Release 2.2 or later, or Cisco Secure Access Control Server Release 5.6 or later, is configured as the external AAA server.

  • Ensure the remote AAA server is configured with the EAP-TLS method.

  • Synchronize the routers, CA server, and external AAA server using Network Time Protocol (NTP) to ensure certificate validation.

Follow these steps to configure MACsec encryption using EAP-TLS authentication:

Procedure

Step 1

Configure the RADIUS server pre-shared keys.

Example:

Router# config
Router(config)# radius-server host 209.165.200.225 key 7 094F471A1A0A57
Router(config)# radius-server vsa attribute ignore unknown
Router(config)# commit

Step 2

Configure the 802.1X authentication method using RADIUS as the protocol.

Example:

Router# config
Router(config)# aaa authentication dot1x default group radius
Router(config)# commit

Step 3

Generate an RSA key pair to sign and encrypt key management messages.

Example:

Router# config
Router(config)# crypto key generate rsa 8002
Wed Aug 7 10:25:22.461 UTC
The name for the keys will be: 8002
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [2048]: 600
Generating RSA keys ... Done w/ crypto generate keypair
[OK]

Step 4

Configure a trustpoint to manage and track CAs and certificates.

Example:

Router# config
Router(config)# crypto ca trustpoint test2
Router(config-trustp)# enrollment url http://caurl.com
Router(config-trustp)# subject-name CN=8000Series,OU=BU,O=Govt,L=Newyork,ST=NY,C=US
Router(config-trustp)# rsakeypair 8002
Router(config-trustp)# crl optional
Router(config-trustp)# commit

Step 5

Configure a domain name for certificate enrollment.

Example:

Router# config
Router(config)# domain name ca.8000-series.cisco.com
Router(config)# commit

Step 6

Authenticate the CA and enroll the device certificate.

Example:

Router# config
Router(config)# crypto ca authenticate test2
Router(config)# crypto ca enroll test2
Router(config)# commit

Step 7

Configure an EAP profile.

Example:

Router# config
Router(config)# eap profile 8002
Router(config-eap)# identity CE1
Router(config-eap)# method tls pki-trustpoint test2
Router(config-eap)# commit

Step 8

Configure an 802.1X profile on the device.

Example:

Router# config
Router(config)# dot1x profile 8k_prof
Router(config-dot1x-8k_prof)# pae both
Router(config-dot1x-8k_prof)# authenticator timer reauth-time 3600
Router(config-dot1x-8k_prof)# supplicant eap profile 8002
Router(config-dot1x-8k_prof)# exit
Router(config)# commit

Step 9

Apply the MACsec EAP profile and the 802.1X profile to an interface.

Example:

Router# config
Router(config)# interface fourHundredGigE 0/0/0/0
Router(config-if)# dot1x profile 8k_prof
Router(config-if)# macsec eap policy macsec-1
Router(config-if)# commit

MACsec encryption is successfully configured on the router using EAP-TLS authentication, enabling secure communication and mutual authentication for 802.1X clients.

Verify MACsec encryption and 802.1X configuration on an interface

Validate the status and configuration details of MACsec EAP and 802.1X on a router interface.

Perform validation during security audits, after deployment, or after making configuration changes.

Procedure

Step 1

Use the show dot1x interface detail command to view detailed 802.1X information for the interface.

Example:

Router# show dot1x interface HundredGigE 0/0/0/24 detail
Dot1x info for HundredGigE 0/0/0/24
---------------------------------------------------------------
Interface short name        : Hu0/0/0/24
Interface handle            : 0x800020
Interface MAC               : 0201.9ab0.85af
Ethertype                   : 888E
PAE                         : Both
Dot1x Port Status           : AUTHORIZED
Dot1x Profile               : 8k_prof
Supplicant:
 Config Dependency          : Resolved
 Eap profile                : 8k
 Client List:               : 0257.3fae.5cda
 Authenticator EAP Method   : EAP-TLS
 Supp SM State              : Authenticated
 Supp Bend SM State         : Idle
 Last authen time           : 2018 Mar 01 13:31:03.380
Authenticator:
 Config Dependency          : Resolved
 ReAuth                     : Enabled, 0 day(s), 01:00:00
 Client List:               : 0257.3fae.5cda
 Auth SM State              : Authenticated
 Auth Bend SM State         : Idle
 Last authen time           : 2018 Mar 01 13:33:17.852
 Time to next reauth        : 0 day(s), 00:59:57
MKA Interface:
 Dot1x Tie Break Role       : Auth
 EAP Based Macsec           : Enabled
 MKA Start time             : 2018 Mar 01 13:33:17.852
 MKA Stop time              : NA
 MKA Response time          : 2018 Mar 01 13:33:18.357

In theshow dot1x interface detail command output, check for these status indicators.

  • Confirm that the Dot1x Port Status is AUTHORIZED.

  • Verify the EAP method and the authentication state of the client.

  • Check the last authentication time and related status indicators.

Step 2

Use the show macsec mka session interface command to view MACsec MKA session status.

Example:

Router# show macsec mka session interface HundredGigE 0/0/0/24

=======================================================================
Interface    Local-TxSCI           # Peers  Status    Key-Server
=======================================================================
Hu0/0/0/24   0201.9ab0.85af/0001   1        Secured   YES

Ensure the Status is Secured and that Key-Server is YES.

Step 3

Use the show macsec mka session interface detail command to view detailed MACsec MKA session information.

Example:

Router# show macsec mka session interface HundredGigE 0/0/0/24 detail 
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec

Local Tx-SCI                  : 0201.9ab0.85af/0001
Local Tx-SSCI                 : 2
Interface MAC Address         : 0201.9ab0.85af
MKA Port Identifier           : 1
Interface Name                : Hu0/0/0/24
CAK Name (CKN)                : A94399EE68B2A455F85527A4309485DA
CA Authentication Mode        : EAP
Member Identifier (MI)        : 3222A4A7678A6BDA553FDB54
Message Number (MN)           : 114
Authenticator                 : YES
Key Server                    : YES
MKA Cipher Suite              : AES-128-CMAC
Configured MACSec Cipher Suite: GCM-AES-XPN-256
Latest SAK Status             : Rx & Tx
Latest SAK AN                 : 1
Latest SAK KI (KN)            : 3222A4A7678A6BDA553FDB5400000001 (1)
Old SAK Status                : No Rx, No Tx
Old SAK AN                    : 0
Old SAK KI (KN)               : RETIRED (0)
SAK Transmit Wait Time        : 0s (Not waiting for any peers to respond)
SAK Retire Time               : 0s (No Old SAK to retire)
Time to SAK Rekey             : NA
MKA Policy Name               : *DEFAULT POLICY*
Key Server Priority           : 16
Delay Protection              : FALSE
Replay Window Size            : 64
Include ICV Indicator         : FALSE
Confidentiality Offset        : 0
Algorithm Agility             : 80C201
SAK Cipher Suite              : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability             : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired                : YES

# of MACsec Capable Live Peers          : 1
# of MACsec Capable Live Peers Responded: 1

Live Peer List:
MI                         MN    Rx-SCI (Peer)         SSCI   KS-Priority
---------------------------------------------------------------------------
86B47DE76B42D9D7AB6805F7   113   0257.3fae.5cda/0001   1      16

Potential Peer List:
MI                         MN    Rx-SCI (Peer)         SSCI   KS-Priority
---------------------------------------------------------------------------

Peers Status:
 Last Tx MKPDU               : 2018 Mar 01 13:36:56.450
 Last Rx MKPDU               : 2018 Mar 01 13:36:56.450
 Peer Count                  : 1
 RxSCI                       : 02573FAE5CDA0001
 MI                          : 86B47DE76B42D9D7AB6805F7
 Peer CAK                    : Match

In the show macsec mka session interface detail command output, verify these session aspects.

  • Verify the session status is SECURED.

  • Check the local SCI (Secure Channel Identifier) value and the peer SCI value.

  • Confirm the cipher suite used (e.g., AES-128-CMAC, GCM-AES-XPN-256).

  • Review the live peer list and the MKA policy details.

You will have validated that MACsec and 802.1X are properly configured and operational on the specified interface.