Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
0
Replies

Macsec host-switch

omer shtivi
Level 1
Level 1

‎07-16-2017 06:12 AM - edited ‎03-11-2019 12:51 AM

Hello everyone!

We are trying to use AC NAM for host-switch macsec

At the ISE we configured should-secure.

AC configuration:

key-management - MKA

Encryption - AES-GCM-128

We are using 3850 version 3.7.5

Our MKA configuration:

mka policy MKA-POLICY
 replay-protection window-size 5000

interface gi 1/0/1

 mka policy MKA-POLICY

After successful authentication of the user:

            Interface:  GigabitEthernet1/0/1
               IIF-ID:  0x101790000000077
          MAC Address:  4437.e675.7b8b
         IPv6 Address:  Unknown
         IPv4 Address:  10.61.6.90
            User-Name:  test
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
    Common Session ID:  0A3D060700000FDD00E44206
      Acct Session ID:  0x00000FD5
               Handle:  0x02000015
       Current Policy:  NAC

Local Policies:
         Idle timeout:  60 sec

Server Policies:
           Vlan Group:  Vlan: 406
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
            SGT Value:  5001

Method status list:
       Method           State
       mab              Stopped
       dot1x            Authc Success

But for some reason the link isn't encrypted,

MKA Global Statistics
=====================
MKA Session Totals
   Secured.................... 0
   Reauthentication Attempts.. 1

   Deleted (Secured).......... 0
   Keepalive Timeouts......... 20

CA Statistics
   Pairwise CAKs Derived...... 20
   Pairwise CAK Rekeys........ 1
   Group CAKs Generated....... 0
   Group CAKs Received........ 0

SA Statistics
   SAKs Generated............. 0
   SAKs Rekeyed............... 0
   SAKs Received.............. 0
   SAK Responses Received..... 0

MKPDU Statistics
   MKPDUs Validated & Rx...... 0
      "Distributed SAK"..... 0
      "Distributed CAK"..... 0
   MKPDUs Transmitted......... 80
      "Distributed SAK"..... 0
      "Distributed CAK"..... 0

MKA Error Counter Totals
========================
Session Failures
   Bring-up Failures................ 0
   Reauthentication Failures........ 0
   Duplicate Auth-Mgr Handle........ 0

SAK Failures
   SAK Generation................... 0
   Hash Key Generation.............. 0
   SAK Encryption/Wrap.............. 0
   SAK Decryption/Unwrap............ 0

CA Failures
   Group CAK Generation............. 0
   Group CAK Encryption/Wrap........ 0
   Group CAK Decryption/Unwrap...... 0
   Pairwise CAK Derivation.......... 0
   CKN Derivation................... 0
   ICK Derivation................... 0
   KEK Derivation................... 0
   Invalid Peer MACsec Capability... 0

MACsec Failures
   Rx SC Creation................... 0
   Tx SC Creation................... 0
   Rx SA Installation............... 0
   Tx SA Installation............... 0

MKPDU Failures
   MKPDU Tx......................... 0
   MKPDU Rx Validation.............. 0
   MKPDU Rx Bad Peer MN............. 0
   MKPDU Rx Non-recent Peerlist MN.. 0

What am i missing? why the encryption isn't working?

Thanks,

Omer Shtivi

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents