Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
0
Replies

802.1-AE not working with CISCO ISE and Juniper EX4300

apopa
Level 1
Level 1

‎03-28-2017 05:57 AM - edited ‎03-11-2019 12:34 AM

I'm currently trying to setup the macsec feature on a Juniper EX4300 switch. I successfully configured 802.1x, using CISCO ISE / Microsoft Radius / FreeRadius radius servers. On all of them the 802.1x authentication works, but when I add the macsec on top of it, it fails. Of course, if I don't set the mka to must-secure, then it still works, but there is no encryption present.  I'm not an experienced user, but my debugging skills point me to a mismatch in the mka protocol. I might be wrong though, that's why I need your help. I noticed that 802.1AE is only working with CISCO ISE radius server if I use the Cisco Switch, because it sends the attribute EAP-Key-Name which is needed by the Cisco Switch to be able to create the keys. It looks like somehow this attribute is not being sent, or maybe it's not needed with the Juniper Switch.

 

About the current setup:

A couple of linux machines as clients

Juniper EX4300 switch with 802.1x enabled and macsec using dynamic security mode

CISCO ISE radius server

 

 

Thanks a lot in advance.

Regards,

Alexandru Popa

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents