I'm currently trying to setup the macsec feature on a Juniper EX4300 switch. I successfully configured 802.1x, using CISCO ISE / Microsoft Radius / FreeRadius radius servers. On all of them the 802.1x authentication works, but when I add the macsec on top of it, it fails. Of course, if I don't set the mka to must-secure, then it still works, but there is no encryption present. I'm not an experienced user, but my debugging skills point me to a mismatch in the mka protocol. I might be wrong though, that's why I need your help. I noticed that 802.1AE is only working with CISCO ISE radius server if I use the Cisco Switch, because it sends the attribute EAP-Key-Name which is needed by the Cisco Switch to be able to create the keys. It looks like somehow this attribute is not being sent, or maybe it's not needed with the Juniper Switch.
About the current setup:
A couple of linux machines as clients
Juniper EX4300 switch with 802.1x enabled and macsec using dynamic security mode
CISCO ISE radius server
Thanks a lot in advance.
Regards,
Alexandru Popa