Guidelines and Limitations
MACsec on the IE5000 has the following guidelines and limitations:
■Both models of IE 5000 downlinks are fully interoperable with IE 4000, IE 4010, Catalyst 9300/3850, and Catalyst IE 3x00 platforms.
■On the IE-5000-16S12P, uplinks are fully functional when connected to another IE-5000-16S12P or a Catalyst 3850.
■On the IE-5000-12S12P-10G, uplinks when running at 10GE are fully functional when connected to another IE-5000-12S12P-10G running at 10GE or to a Catalyst 3850 running at 10GE.
■When an IE 5000 uplink is connected to a Catalyst 9300, the IE 5000 must be the key server. CSCvs36043
■IE-5000-12S12P-10G uplinks MACsec is not currently supported at GE speeds. CSCvs41335
■IE-5000-16S12P uplinks connected to downlinks of the IE 5000 and IE 4000 is not currently supported. CSCvs44292
Additional Guidelines and Limitations for IE 4000, IE 4010, and IE 5000 series switches
The default behavior of the IE 4000, IE 4010, and IE 5000 is to encrypt data traffic when the MACsec link is secured. However, if the remote peer does not secure the MACsec link, these switches send data unencrypted.
The Cisco IOS XE-based IE switches such as IE3x00 and Cisco Catalyst switches such as the 9300, 9200, and 9500 always secure the MACsec link regardless of the state of the MACsec session. When a MACsec link is configured, the traffic is sent encrypted. Any unencrypted traffic received on a MACsec-secured link is dropped.
When MACsec is enabled on a link, it accepts only encrypted data. This means all L2 protocol data frames, such as REP, PTP, ping, and control frames like CDP and LLDP, are blocked on the ingress side. The L2 protocol data frames are allowed only if the egress link also becomes MACsec enabled and a secure channel is established.
Implementing the MACsec Must-Secure feature aligns the default MACsec behavior of the 4000, IE 4010, and IE 5000 with that of the Cisco IOS-XE-based IE switches, including the IE3x00.
MACsec Must-Secure Feature Implementation
The MACsec Must-Secure feature implementation does not include a command option to set the mode to Should-Secure or Must-Secure. By default, the switch operated in Should-Secure mode in the 15.2(8)E5 release and previous releases. Starting with Cisco IOS Release 15.2(8)E6, the switch operates in Must-Secure mode by default.
The support for these modes is as follows:
■The IE 4000, IE 4010, and IE 5000 supports Should-Secure mode in release 15.2(8)E5.
■The IE 4000, IE 4010, and IE 5000 supports Must-Secure mode in release 15.2(8)E6.
Run the show macsec interface interface-id command to see whether the device is set to Should-Secure mode. If the show command output doesn’t display the "Access control" field, the device is in Should-Secure mode. For example:
switch# show macsec int gi1/1 | i Access
If the show command output displays “Access control: must secure," the device is in Must-Secure mode.
To change the mode from Must-Secure to Should-Secure, you need to downgrade the switch to 15.2(8)E5 release or earlier. Similarly, to change from Should-Secure to Must-Secure, you must upgrade the switch to the 15.2(8)E6 release or later.
Cipher Suite Support
IOS-based IE devices support the GCM-AES-128 Cipher Suite encryption algorithm but do not support the GCM-AES-256 Cipher Suite.
Ping Reachability
■Ping works with default interface configurations (no configuration).
■Ping does not work if macsec network-link is configured without Mutual Key Agreement (MKA).
■Ping works when MKA and macsec network-link are configured on both ends of the link.
■Ping does not work if you remove macsec network-link or MKA on one side of the interface.
Using MACsec/MACsec Network-Link with MKA
■Use the macsec network-link command only with MKA on switch interfaces. If you configure MACsec without MKA, then the MKA session will not be displayed.
■You must configure macsec network-link to enable MACsec and secure the link between switches.
Layer 2 Protocols with MACsec/CTS Manual
■Layer 2 protocols such as PTP, PO, and REP were compatible with MACsec in release 15.2(8)E5 and earlier versions. From release 15.2(8)E6 onwards, Layer 2 protocols work only if the network links are secured and the keychain credentials are configured on the devices.
■Layer 2 protocols work only if the network links are secured by MKA or SAP PMK and configured with the macsec network-link or the cts manual command.
■If a MACsec network link is configured only at one end of the link, MACsec traffic does not pass, and the protocol combination does not work.
■If a MACsec network link is configured at both ends, MACsec traffic is transmitted, and any integrated protocol functions, provided that MKA or SAP PMK is used to secure the network.
Observation on Key-Server Priority
The default key-server priority is set to 0. If not explicitly set, it defaults to 0.
For example, Device1 is configured as Key-server Priority 9 and Device2 is configured as Key-server Priority 10. The lower the priority value, the higher the preference for the switch to become the key server. In this example, the key server is displayed correctly as Device1 in the show mka session command output (“yes” is displayed for the key-server field). If Device1 is configured as key server priority 9 and Device2 has no priority configured, then the key server is not displayed correctly because Device2 without any priority (0 by default) is taken as the high key server priority.
MACSEC+ MKA Unidirectional/Bidirectional Traffic Throughput
MACSec on IE 4000, IE 4010, and IE 5000 has some overhead resulting in lesser throughput compared to unencrypted Layer2 frames. The overhead is around 28% for small frames (64 byte) and 2% for large frames (1472 byte).
Traffic drops of 28% are expected with a 100% maximum rate for 64 bytes frames. Therefore, if the maximum rate is 72%, a traffic loss is not seen. The following tables show the traffic frame rate loss.
Table 31 Traffic Frame Rate Loss at 100% Max Rate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 32 Traffic Frame Rate Loss at 75% Max Rate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 33 Traffic Frame Rate Loss at 50% Max Rate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 34 Traffic Frame Rate Loss at 25% Max Rate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MKA-PSK: CKN Behavior Change
To interoperate with Cisco switches running IOS XE, the CKN configuration must be zero-padded. From Cisco IOS XE Everest Release 16.6.1 onwards, for MKA-PSK sessions, instead of fixed 32 bytes, the Connectivity Association Key name (CKN) uses exactly the same string as the CKN, which is configured as the hex-string for the key.
Example configuration:
key chain KEYCHAINONE macsec
cryptographic-algorithm aes-128-cmac
key-string 123456789ABCDEF0123456789ABCDEF0
lifetime local 12:21:00 Sep 9 2015 infinite
For the above example, following is the output for the show mka session command:
Note that the CKN key-string is exactly the same that has been configured for the key as hex-string.
For interoperability between two images, one having the CKN behavior change and one without the CKN behavior change, the hex-string for the key must be a 64-character hex-string padded with zeros to work on a device that has an image with the CKN behavior change. See the example below:
Configuration without CKN key-string behavior change:
key chain KEYCHAINONE macsec
cryptographic-algorithm aes-128-cmac
key-string 123456789ABCDEF0123456789ABCDEF0
lifetime local 12:21:00 Sep 9 2015 infinite
Output:
Configuration with CKN key-string behavior change:
key chain KEYCHAINONE macsec
key 1234000000000000000000000000000000000000000000000000000000000000
cryptographic-algorithm aes-128-cmac
key-string 123456789ABCDEF0123456789ABCDEF0
lifetime local 12:21:00 Sep 9 2015 infinite
Output:
Certificate-based MACsec Encryption
This section provides information about Certificate-based MACsec Encryption. This feature applies to Cisco IOS Release 15.2(8)E and later.
Prerequisites for Certificate-based MACsec Encryption
■Certificate-based MACsec Encryption is supported on the IE4000, IE4010, and IE5000.
■Ensure that you have a Certificate Authority (CA) server configured for your network.
■Generate a CA certificate.
■Ensure that you have configured Cisco Identity Services Engine (ISE) Release 2.0. Refer to the Cisco Identity Services Engine Administrator Guide, Release 2.3.
■Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE) are synchronized using Network Time Protocol (NTP). If time is not synchronized on all your devices, certificates will not be validated.
■Ensure that 802.1x authentication and AAA are configured on your device.
Restrictions for Certificate-based MACsec Encryption
■MKA is not supported on port-channels.
■High Availability for MKA is not supported.
■When you remove dot1x pae both from an interface, all configuration related to dot1x is removed from the interface.
■Certificate-based MACsec is supported only if the access-session host-mode is configured in multiple-host mode. The other configuration modes (multi-auth, multi-domain, or single-host) are not supported.
Information About Certificate-based MACsec Encryption
MKA MACsec is supported on switch-to-switch links. Using IEEE 802.1X Port-based Authentication with Extensible Authentication Protocol (EAP-TLS), you can configure MKA MACsec between device ports. EAP-TLS allows mutual authentication and obtains an MSK (master session key) from which the connectivity association key (CAK) is derived for MKA protocol. Device certificates are carried, using EAP-TLS, for authentication to the AAA server.
Refer to Certificate-based MACsec Encryption For more information about Certificate-based MACsec Encryption, including how to configure Certificate-based MACsec Encryption using Remote Authentication.
Configuring Certificate-based MACsec Encryption using Remote Authentication
Follow these procedures to configure MACsec encryption using remote authentication:
■Configure Certificate Enrollment Manually
■Configure an Authentication Policy
■Configure EAP-TLS Profiles and IEEE 802.1x Credentials
■Configure MKA MACsec using EAP-TLS on Interfaces
Configuring Certificate Enrollment Manually
If network connection between the router and CA is not possible, perform the following task to set up manual certificate enrollment:
|
|
|
1. |
|
Enables privileged EXEC mode. ■Enter your password if prompted. |
2. |
|
Enters global configuration mode. |
3. |
crypto pki trustpoint
server name
|
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode. |
4. |
|
Enroll via the terminal (cut-and-paste). |
5. |
|
Specifies which key pair to associate with the certificate. |
6. |
|
Specifies the router serial number in the certificate request. |
7. |
|
Declares the subject name. For example: subject-name cn=MUSTS.mkadt.cisco.com ,OU=CSG Security,O=Cisco Systems,L=Bengaluru,ST=KA,C=IN |
8. |
|
include subject alternative name. |
9. |
|
include fully-qualified domain name. |
10. |
|
The none keyword specifies to ignore revocation check. |
11. |
|
Exits global configuration mode. |
12. |
crypto pki authenticate
name
|
Retrieves the CA certificate and authenticates it. |
13. |
|
Generates certificate request and displays the request for copying and pasting into the certificate server. Enter enrollment information when you are prompted. For example, specify whether to include the device FQDN and IP address in the certificate request. You are also given the choice about displaying the certificate request to the console terminal. The base-64 encoded certificate with or without PEM headers as requested is displayed. |
14. |
|
Imports a certificate via TFTP at the console terminal, which retrieves the granted certificate. The device attempts to retrieve the granted certificate via TFTP using the same filename used to send the request, except the extension is changed from “.req” to “.crt”. For usage key certificates, the extensions “-sign.crt” and “-encr.crt” are used. The device parses the received files, verifies the certificates, and inserts the certificates into the internal certificate database on the switch. Note: Some CAs ignore the usage key information in the certificate request and issue general purpose usage certificates. If your CA ignores the usage key information in the certificate request, only import the general purpose certificate. The router will not use one of the two key pairs generated. |
15. |
|
Exits global configuration mode. |
16. |
show crypto pki certificate
|
Displays information about the certificate for the trust point. |
17. |
copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Enabling 802.1x Authentication and Configuring AAA
|
|
|
1. |
|
Enables privileged EXEC mode. ■Enter your password if prompted. |
2. |
|
Enters global configuration mode. |
3. |
|
Enables AAA. |
4. |
dot1x system-auth-control
|
Enables 802.1X on your device. |
5. |
|
Specifies the name of the RADIUS server configuration for Protected Access Credential (PAC) provisioning and enters RADIUS server configuration mode. |
6. |
address i
p-address auth-port
port-number acct-port
port-number
|
Configures the IPv4 address for the RADIUS server accounting and authentication parameters. |
7. |
automate-tester username
username
|
Enables the automated testing feature for the RADIUS server. With this practice, the device sends periodic test authentication messages to the RADIUS server. It looks for a RADIUS response from the server. A success message is not necessary - a failed authentication suffices, because it shows that the server is alive. |
8. |
|
Configures the authentication and encryption key for all RADIUS communications between the device and the RADIUS server. |
9. |
radius-server deadtime
minutes
|
Improves RADIUS response time when some servers might be unavailable and skips unavailable servers immediately. |
10. |
|
Returns to global configuration mode. |
11. |
aaa group server radius
group-name
|
Groups different RADIUS server hosts into distinct lists and distinct methods, and enters server group configuration mode. |
12. |
|
Assigns the RADIUS server name. |
13. |
|
Returns to global configuration mode. |
14. |
aaa authentication dot1x default group
group-name
|
Sets the default authentication server group for IEEE 802.1x. |
15. |
aaa authorization network default group
group-name
|
Sets the network authorization default group. |
Configuring EAP-TLS Profile and 802.1x Credentials
|
|
|
1. |
|
Enables privileged EXEC mode. ■Enter your password if prompted. |
2. |
|
Enters global configuration mode. |
3. |
eap profile p
rofile-name
|
Configures EAP profile and enters EAP profile configuration mode. |
4. |
|
Enables EAP-TLS method on the device. |
5. |
|
Sets the default PKI trustpoint. |
6. |
|
Returns to global configuration mode. |
7. |
dot1x credentials p
rofile-name
|
Configures 802.1x credentials profile and enters dot1x credentials configuration mode. |
8. |
|
Sets the authentication user ID. |
9. |
|
Returns to privileged EXEC mode. |
Applying the 802.1x MKA MACsec Configuration on Interfaces
To apply MKA MACsec using EAP-TLS to interfaces, perform the following task:
|
|
|
1. |
|
Enables privileged EXEC mode. ■Enter your password if prompted. |
2. |
|
Enters global configuration mode. |
3. |
|
Identifies the MACsec interface, and enter interface configuration mode. The interface must be a physical interface. |
4. |
|
Enables MACsec on the interface. |
5. |
|
Enables reauthentication for this port. |
6. |
access-session host-mode multi-host
|
Allows hosts to gain access to the interface. |
7. |
|
Prevents preauthentication access on the interface. |
8. |
access-session port-control auto
|
Sets the authorization state of a port. |
9. |
|
Configures the port as an 802.1X port access entity (PAE) supplicant and authenticator. |
10. |
dot1x credentials profile
|
Assigns a 802.1x credentials profile to the interface. |
11. |
dot1x supplicant eap profile
name
|
Assigns the EAP-TLS profile to the interface. |
|
dot1x authenticator eap profile
name
|
Assigns the EAP-TLS profile to the interface |
12. |
service-policy type control subscriber
|
Applies a subscriber control policy to the interface. |
13. |
|
Returns to privileged EXEC mode. |
14. |
|
Displays MACsec details for the interface. |
15. |
copy running-config startup-config
|
(Optional) Saves your entries in the configuration file. |
Verifying Certificate-based MACsec Encryption
Use the following show commands to verify the configuration of certificate-based MACsec encryption. Sample output is shown below.
The show access-session interface interface-id details displays detailed information about the access session for the given interface.
Device#show access-session interface gi 1/18 details
Interface: GigabitEthernet1/18
MAC Address: 5453.5632.0082
User-Name: scepen.mkadt.cisco.com
Oper host mode: multi-host
Periodic Acct timeout: N/A
Common Session ID: 000000000000000C0011E814
Acct Session ID: 0x00000001
Service Template: DEFAULT_LINKSEC_POLICY_MUST_SECURE (priority 150)
Security Policy: Must Secure
Security Status: Link Secured
Configuration examples for Certificate-based MACsec Encryption
Example: Enrolling the Certificate
Configure Crypto PKI Trustpoint:
Manual Installation of Root CA certificate:
crypto pki authenticate demo
Example: Enabling 802.1x Authentication and AAA Configuration
dot1x system-auth-control
address ipv4 <ISE ipv4 address> auth-port 1645 acct-port 1646
key <secret configured on ise>
aaa group server radius ISEGRP
aaa authentication dot1x default group ISEGRP
aaa authorization network default group ISEGRP
Example: Configuring EAP-TLS Profile and 802.1X Credentials
dot1x system-auth-control
username scepen.mkadt.cisco.com
Example: Applying 802.1X, PKI, and MACsec Configuration on the Interface
interface GigabitEthernet1/2
access-session host-mode multi-host
access-session port-control auto
dot1x authenticator eap profile scepen
dot1x supplicant eap profile scepen
service-policy type control subscriber MUSTS_1