Home
Support
Product Support
Routers
Cisco 8000 Series Routers
Configuration Guides

MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

YANG data models for MACsec encryption features

Using YANG Data Models

Fundamentals of MACsec encryption

MACsec encryption
Key concepts for MACsec encryption
How MACsec encryption works
Guidelines for MACsec encryption
Configure MACsec encryption

WAN MACsec encryption

WAN MACsec encryption
Applications of MACsec in WAN environments
MACsec encryption on Layer 3 subinterfaces
Alternate EAPoL Ether-type and Destination address

MACsec policy exceptions

MACsec policy exception
MACsec policy exceptions for LACP packets
MACsec policy exceptions for LLDP packets

MACsec encryption using EAP-TLS authentication

MACsec encryption using EAP-TLS authentication
How MACsec encryption using EAP-TLS authentication works
Guidelines for MACsec encryption using EAP-TLS authentication
Configure MACsec encryption using EAP-TLS authentication

MACsec encryption using SKIP

Secure Key Integration Protocol
How point-to-point MACsec encryption using SKIP works
Restrictions for MACsec encryption using SKIP
Configure point-to-point MACsec encryption using SKIP

Secure MACsec encryption

Power-on Self-Test KAT for Common Criteria and FIPS
Dynamic power management for MACsec-enabled ports
MACsec pre-shared keys with Type 6 password encryption

MACsec encryption performance and statistics

MACsec SecY statistics
MACsec SNMP MIB
Use SNMP commands to access SECY MIB
Obtain the MACsec controlled port interface index
SNMP query examples

How MACsec encryption using EAP-TLS authentication works

Updated: February 28, 2026

Want to summarize with AI?

Overview

MACsec encryption with EAP-TLS secures router-to-router communication by using certificate-based mutual authentication to derive cryptographic keys. These keys are then managed by the MACsec Key Agreement (MKA) protocol to ensure data confidentiality and integrity across Ethernet interfaces.

MACsec encryption using EAP-TLS authentication establishes secure communication between routers by leveraging certificate-based mutual authentication to derive keys for MACsec encryption.

Summary

The key components involved in the process are:

Routers (authenticator/supplicant): Systems that perform MACsec encryption and participate in 802.1X authentication, acting as either the authenticator (facilitates authentication) or the supplicant (seeks authentication).
Authentication server (RADIUS/Cisco ISE/ACS): An entity that provides authentication services to an authenticator, verifying supplicant credentials and facilitating EAP-TLS communication.
Certificate Authority (CA) server: Issues and manages digital certificates used for mutual authentication in EAP-TLS.
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security): The authentication method used for mutual authentication between the authentication server and the client (supplicant) using certificates.
Master Session Key (MSK): A cryptographic key generated upon successful EAP-TLS authentication.
Connectivity Association Key (CAK): Derived from the MSK, this key is used by the MACsec Key Agreement (MKA) protocol.
Connectivity Association Key Name (CKN): Derived from the EAP session ID, this name identifies the CAK.

Workflow

These stages describe how MACsec encryption using EAP-TLS authentication works:

Initiation: A supplicant router initiates 802.1X port-based authentication on a physical Ethernet interface with an authenticator router.
EAP message exchange: The authenticator router forwards EAP messages between the supplicant and the configured external authentication server (e.g., RADIUS) using EAP as the transport.
Mutual authentication (EAP-TLS): The authentication server and the supplicant router perform mutual authentication using digital certificates via the EAP-TLS method. This requires both devices to have valid certificates issued by a trusted Certificate Authority.
Master session key generation: Upon successful EAP-TLS authentication, a Master Session Key (MSK) is generated.
Key derivation: The MSK is then used to derive the Connectivity Association Key (CAK), and the Connectivity Association Key Name (CKN) is derived from the EAP session ID.
MACsec Key Agreement (MKA): The derived CAK and CKN are utilized by the MKA protocol to establish and maintain secure MACsec encryption between the routers on the interface.

Result

This process enables robust MACsec encryption between two routers, ensuring data confidentiality and integrity on Ethernet interfaces through secure, certificate-based authentication and automated key management.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.