Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
0
Replies

NEAT and MACSEC

Myx
Level 1
Level 1

‎09-26-2025 05:01 AM

Hi,

my goal is to deploy NEAT switches, but also establish a MACSEC connection between the authenticator and supplicant switches at the same time.

my naive approach was this:

ISE authorization profile:

Spoiler
Access Type = ACCESS_ACCEPT
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = auto-smart-port=ASM_MACSEC
cisco-av-pair = interface-template-name=switch

Supplicant Switch:

Spoiler
mka policy TEST
key-server priority 255
macsec-cipher-suite gcm-aes-128

key chain TEST macsec
description MACSEC TEST
key 01000000000000000000000000000000
cryptographic-algorithm aes-128-cmac
key-string xxx

dot1x credentials TEST
username neat-test
password xxx

eap profile TEST
description PEAP TEST
method peap
pki-trustpoint AAA

interface GigabitEthernet1/0/1
switchport mode trunk
macsec network-link
mka policy TEST
mka pre-shared-key key-chain TEST
dot1x pae supplicant
dot1x credentials TEST
dot1x supplicant eap profile TEST

Authenticator Switch:

Spoiler
macro auto global processing 
no macro auto global control device

mka policy TEST
  mka policy TEST
  mka pre-shared-key key-chain TEST

key chain TEST macsec
 description MACSEC TEST
 key 0100000000000000000000000000000000000000000000000000000000000000
  cryptographic-algorithm aes-128-cmac
  key-string xxx

macro auto execute ASM_MACSEC  {
 if [[ $LINKUP == YES ]]
  then conf t
  interface $INTERFACE
  macro description $TRIGGER
  switchport mode trunk
  authentication host-mode multi-host
  macsec network-link
  mka policy TEST
  mka pre-shared-key key-chain TEST
  exit
 fi
 if [[ $LINKUP == NO ]]
  then conf t
  interface $INTERFACE
  no macro description $TRIGGER
  switchport mode access
  authentication host-mode multi-auth
  no macsec network-link
  no mka policy TEST
  no mka pre-shared-key key-chain TEST
  exit
 fi
 end

interface GigabitEthernet1/0/1
 switchport mode access
 switchport port-security maximum 2
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 device-tracking attach-policy IPDT_POLICY
 authentication event fail action next-method
 authentication event server dead action authorize 
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer inactivity server
 authentication violation restrict
 mab
 no snmp trap link-status
 auto qos trust dscp
 source template default-nac
 spanning-tree portfast
 service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

template default-nac
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level pps 100
storm-control multicast level pps 100
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode access
switchport voice vlan 1001
mab
authentication periodic
authentication timer reauthenticate server
ip dhcp snooping limit rate 20

 

The aaa process itself runs through and the switch gets authenticated/authorized in ise.
The macro gets applied.
The connection breaks down, the end.

When i add macro auto port sticky to the authenticator port, the mka macro stays applied and the mka session is stable, but the aaa session is gone and never reestablishes.

What am i doing wrong? Is there a better way to achieve what i try to do?

 

Kind Regards

 

 

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents