Overview
Provides guidance on configuring MACsec encryption using EAP-TLS authentication, covering the roles of supplicants and authenticators, the certificate-based mutual authentication process, and verification procedures for secure Ethernet traffic.
This chapter provides step-by-step guidance on configuring MACsec encryption using EAP-TLS authentication on the routers. It covers how the process works, key roles and components involved, best practice guidelines, configuration procedures, and verification commands to ensure secure, certificate-based Ethernet traffic encryption.
MACsec encryption using EAP-TLS authentication
Describes the method of securing Ethernet traffic using MACsec encryption combined with IEEE 802.1X port-based authentication and EAP-TLS certificates for mutual authentication and automated key derivation.
How MACsec encryption using EAP-TLS authentication works
MACsec encryption with EAP-TLS secures router-to-router communication by using certificate-based mutual authentication to derive cryptographic keys. These keys are then managed by the MACsec Key Agreement (MKA) protocol to ensure data confidentiality and integrity across Ethernet interfaces.
Guidelines for MACsec encryption using EAP-TLS authentication
When configuring MACsec with EAP-TLS, ensure 802.1X is applied exclusively to physical Ethernet interfaces in single-host mode. Use 802.1X solely for MKA key derivation, configure the router as either an Authenticator or Supplicant PAE, and utilize RADIUS as the EAP transport when operating in the authenticator role.
Configure MACsec encryption using EAP-TLS authentication
Configure MACsec encryption with EAP-TLS by establishing RADIUS authentication, managing digital certificates via a trustpoint, and defining the necessary EAP and 802.1X profiles. Once these components are configured, apply the profiles to your physical interfaces to enable secure, certificate-based mutual authentication and automated key management.