MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Configure MACsec encryption using EAP-TLS authentication

Updated: February 28, 2026

Want to summarize with AI?

Overview

Configure MACsec encryption with EAP-TLS by establishing RADIUS authentication, managing digital certificates via a trustpoint, and defining the necessary EAP and 802.1X profiles. Once these components are configured, apply the profiles to your physical interfaces to enable secure, certificate-based mutual authentication and automated key management.

Securely authenticate 802.1X clients and enable MACsec encryption on the router using EAP-TLS.

This task enables the router to authenticate 802.1X clients with EAP-TLS, providing mutual authentication and generating a Master Session Key (MSK) for secure communication.

Before you begin

Ensure a Certificate Authority (CA) server is configured for the network.
Verify the configured CA certificate is valid.
Confirm that Cisco Identity Services Engine (ISE) Release 2.2 or later, or Cisco Secure Access Control Server Release 5.6 or later, is configured as the external AAA server.
Ensure the remote AAA server is configured with the EAP-TLS method.
Synchronize the routers, CA server, and external AAA server using Network Time Protocol (NTP) to ensure certificate validation.

Follow these steps to configure MACsec encryption using EAP-TLS authentication:

Procedure

	1.	Configure the RADIUS server pre-shared keys. Example: `Router# config Router(config)# radius-server host 209.165.200.225 key 7 094F471A1A0A57 Router(config)# radius-server vsa attribute ignore unknown Router(config)# commit`
	2.	Configure the 802.1X authentication method using RADIUS as the protocol. Example: `Router# config Router(config)# aaa authentication dot1x default group radius Router(config)# commit`
	3.	Generate an RSA key pair to sign and encrypt key management messages. Example: `Router# config Router(config)# crypto key generate rsa 8002 Wed Aug 7 10:25:22.461 UTC The name for the keys will be: 8002 Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [2048]: 600 Generating RSA keys ... Done w/ crypto generate keypair [OK]`
	4.	Configure a trustpoint to manage and track CAs and certificates. Example: `Router# config Router(config)# crypto ca trustpoint test2 Router(config-trustp)# enrollment url http://caurl.com Router(config-trustp)# subject-name CN=8000Series,OU=BU,O=Govt,L=Newyork,ST=NY,C=US Router(config-trustp)# rsakeypair 8002 Router(config-trustp)# crl optional Router(config-trustp)# commit`
	5.	Configure a domain name for certificate enrollment. Example: `Router# config Router(config)# domain name ca.8000-series.cisco.com Router(config)# commit`
	6.	Authenticate the CA and enroll the device certificate. Example: `Router# config Router(config)# crypto ca authenticate test2 Router(config)# crypto ca enroll test2 Router(config)# commit`
	7.	Configure an EAP profile. Example: `Router# config Router(config)# eap profile 8002 Router(config-eap)# identity CE1 Router(config-eap)# method tls pki-trustpoint test2 Router(config-eap)# commit`
	8.	Configure an 802.1X profile on the device. Example: `Router# config Router(config)# dot1x profile 8k_prof Router(config-dot1x-8k_prof)# pae both Router(config-dot1x-8k_prof)# authenticator timer reauth-time 3600 Router(config-dot1x-8k_prof)# supplicant eap profile 8002 Router(config-dot1x-8k_prof)# exit Router(config)# commit`
	9.	Apply the MACsec EAP profile and the 802.1X profile to an interface. Example: `Router# config Router(config)# interface fourHundredGigE 0/0/0/0 Router(config-if)# dot1x profile 8k_prof Router(config-if)# macsec eap policy macsec-1 Router(config-if)# commit`

MACsec encryption is successfully configured on the router using EAP-TLS authentication, enabling secure communication and mutual authentication for 802.1X clients.

Verify MACsec encryption and 802.1X configuration on an interface

Validate the status and configuration details of MACsec EAP and 802.1X on a router interface.

Perform validation during security audits, after deployment, or after making configuration changes.

Procedure

Use the show dot1x interface detail command to view detailed 802.1X information for the interface.

Example:

Router# show dot1x interface HundredGigE 0/0/0/24 detail
Dot1x info for HundredGigE 0/0/0/24
---------------------------------------------------------------
Interface short name        : Hu0/0/0/24
Interface handle            : 0x800020
Interface MAC               : 0201.9ab0.85af
Ethertype                   : 888E
PAE                         : Both
Dot1x Port Status           : AUTHORIZED
Dot1x Profile               : 8k_prof
Supplicant:
 Config Dependency          : Resolved
 Eap profile                : 8k
 Client List:               : 0257.3fae.5cda
 Authenticator EAP Method   : EAP-TLS
 Supp SM State              : Authenticated
 Supp Bend SM State         : Idle
 Last authen time           : 2018 Mar 01 13:31:03.380
Authenticator:
 Config Dependency          : Resolved
 ReAuth                     : Enabled, 0 day(s), 01:00:00
 Client List:               : 0257.3fae.5cda
 Auth SM State              : Authenticated
 Auth Bend SM State         : Idle
 Last authen time           : 2018 Mar 01 13:33:17.852
 Time to next reauth        : 0 day(s), 00:59:57
MKA Interface:
 Dot1x Tie Break Role       : Auth
 EAP Based Macsec           : Enabled
 MKA Start time             : 2018 Mar 01 13:33:17.852
 MKA Stop time              : NA
 MKA Response time          : 2018 Mar 01 13:33:18.357

In theshow dot1x interface detail command output, check for these status indicators.

Confirm that the Dot1x Port Status is AUTHORIZED.
Verify the EAP method and the authentication state of the client.
Check the last authentication time and related status indicators.

Use the show macsec mka session interface command to view MACsec MKA session status.

Example:

Router# show macsec mka session interface HundredGigE 0/0/0/24

=======================================================================
Interface    Local-TxSCI           # Peers  Status    Key-Server
=======================================================================
Hu0/0/0/24   0201.9ab0.85af/0001   1        Secured   YES

Ensure the Status is Secured and that Key-Server is YES.

Use the show macsec mka session interface detail command to view detailed MACsec MKA session information.

Example:

Router# show macsec mka session interface HundredGigE 0/0/0/24 detail 
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec

Local Tx-SCI                  : 0201.9ab0.85af/0001
Local Tx-SSCI                 : 2
Interface MAC Address         : 0201.9ab0.85af
MKA Port Identifier           : 1
Interface Name                : Hu0/0/0/24
CAK Name (CKN)                : A94399EE68B2A455F85527A4309485DA
CA Authentication Mode        : EAP
Member Identifier (MI)        : 3222A4A7678A6BDA553FDB54
Message Number (MN)           : 114
Authenticator                 : YES
Key Server                    : YES
MKA Cipher Suite              : AES-128-CMAC
Configured MACSec Cipher Suite: GCM-AES-XPN-256
Latest SAK Status             : Rx & Tx
Latest SAK AN                 : 1
Latest SAK KI (KN)            : 3222A4A7678A6BDA553FDB5400000001 (1)
Old SAK Status                : No Rx, No Tx
Old SAK AN                    : 0
Old SAK KI (KN)               : RETIRED (0)
SAK Transmit Wait Time        : 0s (Not waiting for any peers to respond)
SAK Retire Time               : 0s (No Old SAK to retire)
Time to SAK Rekey             : NA
MKA Policy Name               : *DEFAULT POLICY*
Key Server Priority           : 16
Delay Protection              : FALSE
Replay Window Size            : 64
Include ICV Indicator         : FALSE
Confidentiality Offset        : 0
Algorithm Agility             : 80C201
SAK Cipher Suite              : 0080C20001000004 (GCM-AES-XPN-256)
MACsec Capability             : 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired                : YES

# of MACsec Capable Live Peers          : 1
# of MACsec Capable Live Peers Responded: 1

Live Peer List:
MI                         MN    Rx-SCI (Peer)         SSCI   KS-Priority
---------------------------------------------------------------------------
86B47DE76B42D9D7AB6805F7   113   0257.3fae.5cda/0001   1      16

Potential Peer List:
MI                         MN    Rx-SCI (Peer)         SSCI   KS-Priority
---------------------------------------------------------------------------

Peers Status:
 Last Tx MKPDU               : 2018 Mar 01 13:36:56.450
 Last Rx MKPDU               : 2018 Mar 01 13:36:56.450
 Peer Count                  : 1
 RxSCI                       : 02573FAE5CDA0001
 MI                          : 86B47DE76B42D9D7AB6805F7
 Peer CAK                    : Match

In the show macsec mka session interface detail command output, verify these session aspects.

Verify the session status is SECURED.
Check the local SCI (Secure Channel Identifier) value and the peer SCI value.
Confirm the cipher suite used (e.g., AES-128-CMAC, GCM-AES-XPN-256).
Review the live peer list and the MKA policy details.

You will have validated that MACsec and 802.1X are properly configured and operational on the specified interface.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.