Overview
When configuring MACsec with EAP-TLS, ensure 802.1X is applied exclusively to physical Ethernet interfaces in single-host mode. Use 802.1X solely for MKA key derivation, configure the router as either an Authenticator or Supplicant PAE, and utilize RADIUS as the EAP transport when operating in the authenticator role.
-
Ensure that you use 802.1X only on physical Ethernet interfaces when configuring EAP-TLS authentication.
-
Use 802.1X port-based authentication exclusively to derive keys for MACsec Key Agreement (MKA). The authentication process does not perform port control functions.
-
Configure the router in the Authenticator or Supplicant Port Access Entity (PAE) role. The router supports both roles.
-
As an authenticator, ensure that remote EAP authentication uses RADIUS as the EAP transport.
-
The router supports EAP-TLS authentication in single-host mode only, as it does not support multi-host mode.