MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec encryption using EAP-TLS authentication

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Describes the method of securing Ethernet traffic using MACsec encryption combined with IEEE 802.1X port-based authentication and EAP-TLS certificates for mutual authentication and automated key derivation.

MACsec encryption using EAP-TLS authentication is a Ethernet traffic securing method that

  • provides Media Access Control Security (MACsec) encryption between two routers using IEEE 802.1X port-based authentication,

  • enables mutual authentication between the authentication server and client with Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) certificates, and

  • derives the Master Session Key (MSK), Connectivity Association Key (CAK), and Connectivity Association Key Name (CKN) from the EAP-TLS authentication process for establishing MACsec encryption.

IEEE 802.1X device roles

The devices in the network play specific roles during IEEE 802.1X authentication.

  • Supplicant: An entity at one end of a point-to-point LAN segment that seeks authentication by an Authenticator attached to the other end of that link.

  • Authenticator: An entity that facilitates authentication of other entities attached to the same LAN.

  • Authentication server: An entity that provides an authentication service to an Authenticator. The service determines whether the Supplicant is authorized to access system services where the Authenticator resides by evaluating the credentials provided by the Supplicant.