topic DNAC|SDA|MACSec in Software-Defined Access (SD-Access)

DNAC|SDA|MACSec

Rajesh Kongath — Wed, 12 Oct 2022 07:01:21 GMT

We are running a fully lan automated, SDA Fabric network with DNAC version 2.2.3.4 & C9300 IOS 17.3.4. We wanted to switch to host macsec, below given a sample commands for the while we are doing thru the CLI.

I would like to know

What is the best practice in SDA environment for implementing switch to host macsec
How can we automate the global and switchport config thru DNAC ( templates or via some workflow)
Since its lan automated, default network port templates pushed while onboarding so how do we do the changes

Global Config:
mka policy mka_policy
key-server priority 200
include-icv-indicator
macsec-cipher-suite gcm-aes-128
confidentiality-offset 0
ssci-based-on-sci
Port:
macsec
mka policy mka_policy

Re: DNAC|SDA|MACSec

Sylvain_Che — Thu, 13 Oct 2022 08:08:30 GMT

Hi,

I don't have specific experience with MACsec on SDA deployment but the following video from Cisco shows switch-to-switch MACsec configuration using templates.

This might probably help you for the switch-to-host configuration you wish to perform.

https://www.youtube.com/watch?v=fPKprvRndTU

Best regards,

Sylvain.

Re: DNAC|SDA|MACSec

willwetherman — Thu, 13 Oct 2022 10:13:23 GMT

Hi @Rajesh Kongath

As far as I'm aware, MACsec (both switch-to-switch and switch-to-host) still needs to be implemented using DNA Center templates or manually using the switch CLI. Please see the following that was posted in May 2022. I'm not sure if MACsec is on the roadmap to be fully automated by DNA Center using an additional app/workflow. You will need to reach out to your Cisco AM/SE to check and confirm.

https://community.cisco.com/t5/software-defined-access-sd-access/macsec-with-sda-roadmap/td-p/4062519

You can create a day-n template for your fabric edge switches that includes the global and port configuration, or separate templates for the global and port configuration that are then combined in a composite template. Once the fabric edge switches have been onboarded using LAN automation, you can then re-provision the switches to apply the required templates.

Will

Re: DNAC|SDA|MACSec

Rajesh Kongath — Thu, 13 Oct 2022 10:50:20 GMT

Thank You @willwetherman & @Sylvain_Che - allow me to ask a few more questions

MacSec needs host-mode multi-domain, which I believe can be achieved via selecting no of hosts "single" by editing closed authentication settings in DNAC. But in our scenario, we don’t want macsec for all data ports but only the one which end users pc/phone connected. The ELV devices are not capable of macsec. Selecting “one device” or adding it via template will change to whole fabric. How we can automate/achieve configuring “access-session host-mode multi-domain” only for end user ports?
Can we push “access-session host-mode multi-domain” from ISE after the authentication by any chance?
We have Dynamic VLAN assignment for the data vlans, how macsec will work in such situations?

Once again Thanks

Re: DNAC|SDA|MACSec

willwetherman — Thu, 20 Oct 2022 06:40:04 GMT

Hi @Rajesh Kongath

The DNA Center Closed Authentication template will use the setting of 'Unlimited' for the number of hosts by default, this will enable host-mode multi-auth on the fabric edge which is not supported with MACsec. You will need to change this option to 'Single' which will enable host-mode multi-domain on the fabric edge which is supported. Once multi-domain has been implemented, you can apply your MACsec global and port templates to the required fabric edge switches.

Note that switch-to-host MACsec with SDA has been validated with the encryption policy being returned by the ISE authorisation result. This means that you can use ISE authorisation policy to be selective on the devices and users that are subject to MACsec encryption.

For example, the ISE authorisation policy for my Corporate clients returns the following attributes to the fabric edge switch once they have passed EAP-TLS authentication. The 'should-secure' policy will attempt MKA on the port, and if successful will encrypt the traffic, however if MKA times out or fails, the port will permit unencrypted traffic. Dynamic VLAN assignment works in the same way; we are just returning an additional attribute to the fabric edge switch for the MACsec policy

Access Type = ACCESS_ACCEPT
VLAN = 1021
MACSec Policy = should-secure

For devices that do not support MACsec, or for devices that you want to exclude from MACsec encryption, you can create a separate ISE authorisation policy that returns the MACsec policy of 'must-not-secure'

You have the following MACSec policy options in ISE.

must-not-secure
should-secure
must-secure

Please see the following for further details

https://community.cisco.com/t5/networking-knowledge-base/configuring-macsec-switch-to-host-with-cat9k-amp-ise/ta-p/4436087