Hello everyone!
We are trying to use AC NAM for host-switch macsec
At the ISE we configured should-secure.
AC configuration:
key-management - MKA
Encryption - AES-GCM-128
We are using 3850 version 3.7.5
Our MKA configuration:
mka policy MKA-POLICY
replay-protection window-size 5000
interface gi 1/0/1
mka policy MKA-POLICY
After successful authentication of the user:
Interface: GigabitEthernet1/0/1
IIF-ID: 0x101790000000077
MAC Address: 4437.e675.7b8b
IPv6 Address: Unknown
IPv4 Address: 10.61.6.90
User-Name: test
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Common Session ID: 0A3D060700000FDD00E44206
Acct Session ID: 0x00000FD5
Handle: 0x02000015
Current Policy: NAC
Local Policies:
Idle timeout: 60 sec
Server Policies:
Vlan Group: Vlan: 406
Security Policy: Should Secure
Security Status: Link Unsecure
SGT Value: 5001
Method status list:
Method State
mab Stopped
dot1x Authc Success
But for some reason the link isn't encrypted,
MKA Global Statistics
=====================
MKA Session Totals
Secured.................... 0
Reauthentication Attempts.. 1
Deleted (Secured).......... 0
Keepalive Timeouts......... 20
CA Statistics
Pairwise CAKs Derived...... 20
Pairwise CAK Rekeys........ 1
Group CAKs Generated....... 0
Group CAKs Received........ 0
SA Statistics
SAKs Generated............. 0
SAKs Rekeyed............... 0
SAKs Received.............. 0
SAK Responses Received..... 0
MKPDU Statistics
MKPDUs Validated & Rx...... 0
"Distributed SAK"..... 0
"Distributed CAK"..... 0
MKPDUs Transmitted......... 80
"Distributed SAK"..... 0
"Distributed CAK"..... 0
MKA Error Counter Totals
========================
Session Failures
Bring-up Failures................ 0
Reauthentication Failures........ 0
Duplicate Auth-Mgr Handle........ 0
SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0
CA Failures
Group CAK Generation............. 0
Group CAK Encryption/Wrap........ 0
Group CAK Decryption/Unwrap...... 0
Pairwise CAK Derivation.......... 0
CKN Derivation................... 0
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0
MACsec Failures
Rx SC Creation................... 0
Tx SC Creation................... 0
Rx SA Installation............... 0
Tx SA Installation............... 0
MKPDU Failures
MKPDU Tx......................... 0
MKPDU Rx Validation.............. 0
MKPDU Rx Bad Peer MN............. 0
MKPDU Rx Non-recent Peerlist MN.. 0
What am i missing? why the encryption isn't working?
Thanks,
Omer Shtivi