Solved: Re: Enforcing MACsec on Computer connected behind IP Phone

Walker · ‎01-25-2023

I have a lab set up and I have been tinkering with pushing MACsec policies using EAP-TLS to workstations. When I have a workstation connected to an interface, everything works as intended. Link is secured using MACsec. When I plug in an IP phone to the port and connect the workstation behind the phone, it seems MKA can not negotiate properly and the link fails.

Has anyone been able to get a working configuration in order for a situation like this? I'm wondering if MACsec is just not supported in a situation like this. There is not much official Cisco documentation on Switch-to-Host MACsec and if there is, it's pretty vague but I interpret the language as if it should work. Could there be an IP phone setting that must be tweaked in order to get it in working order? Unfortunately I do not have access to our CUCM or IP phone device settings.

My current setup is: Cisco 9300 > Cisco 8851NR IP Phone > HP Workstation Win11 using AnyConnect NAM

Any information is appreciated!

marce1000 · ‎01-26-2023

- Ref : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_3750x_3560x_cg/b_1524e_consolidated_3750x_3560x_cg_chapter_01011.pdf
>..... Only host facing links(links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

marce1000 · ‎01-26-2023

- Ref : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_4_e/configurationguide/b_1524e_consolidated_3750x_3560x_cg/b_1524e_consolidated_3750x_3560x_cg_chapter_01011.pdf
>..... Only host facing links(links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

GREGORY LEGGETT · ‎02-16-2023

After reading the linked document, it appears that MACSec should work for two devices on one switch port in multi-domain mode. There are two virtual (MACSec) ports for each interface, with one being designated for the DATA vlan and the other for the VOICE vlan. I have not personally configured this setup, but will be attempting to do so shortly and can hopefully provide some feedback.

"Each connectivity
association (pair) represents a virtual port, with a maximum of two virtual ports per physical port. Only one
of the two virtual ports can be part of a data VLAN; the other must externally tag its packets for the voice
VLAN."

"You can use MACsec and the MKA Protocol with 802.1x single-host mode or Multi Domain Authentication
(MDA) mode."

Walker · ‎02-16-2023

@GREGORY LEGGETT Here is a more recent doc,

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/macsec_encryption.html

In standard (not 802.1x REV) 802.1x multiple-domain mode, a port is open or closed based on a single authentication. If the primary user, a PC on data domain, is authenticated, the same level of network access is provided to any domain connected to the same port. If a secondary user is a MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary user, an IP phone on voice domain, that is a non-MACsec host, can send traffic to the network without authentication because it is in multiple-domain mode.

I also tried setting up a lab to get it to work but had no success. If you somehow figure it out, please share! Would be a tremendous help.