Summary

Here we will go over the configuration needed for MACsec Switch to Switch using EAP-TLS for authentication. MKA and MACsec are implemented after successful authentication using the certificate-based MACsec. Please see the MACsec History and Terminology for a basic understanding of where MACsec came from, the cipher suites and encryption methods, and acronym definitions. While I am using Switch to Switch this can also be used for Router <-> Switch or Router <-> Router as long as MACsec is supported on the interfaces.  Configuring MACsec on NX-OS is likely to be different from these examples. When switch-to-switch MACSec is enabled, all traffic is encrypted, except the EAP-over-LAN (EAPOL) packets.

In these examples, I’m using two Catalyst 9300 switches, both running IOS XE 17.3(4). 

This will be the one in a series of documents I write on MACsec. Some of the other topics I’ll be writing are…

MACsec History and Terminology

Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE

Configuring MACsec Switch to Switch with PSK Authentication

Configuring Certificate Based MACsec Switch to Switch with ISE Authentication

Configuring MACsec Switch to Host with ISE and Cat 9K

Problem Statement

Typically businesses trust traffic that is traversing cable.  We need to stop trusting the cable, there are inexpensive devices that can easily be inserted into the path that can help attackers perform meddler-in-the-middle attacks. The Zero Trust Model should extend to the network medium and in wireless it does.   We need to start encrypting traffic that traverses our wired ethernet networks, MACsec does this with little cost, little overhead and at wire speed.

Requirements

• Certificates on each IOS XE device must be issued by the same CA
• Certificates can be obtained using SCEP or manual enrollment
• Certificates must contain the following X509 Usages
  
  • Digital Signature
  • Key Encipherment
• Certificates must contain the following Extended Key Usages
  • Server Auth
  • Client Auth
• IOS XE 17.3(4) is used for this lab and is recommended. Earlier versions may work. MACsec was introduced into IOS XE in 16.5.1a
• Certificate-based MACsec is supported only if the access-session is configured as closed or in multiple-host mode.
• Switch name, Domain Name, DNS IP Addresses & NTP
• IBNS 2.0

Network Diagram

Configuration Steps

Obtain Certificates for both Switches

First we need identity certificates on both our switches. Please follow the following document I wrote.
Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE

AAA Config

I prefer to use Named Lists in my AAA Config because it creates very prescriptive results.

!
conf t
aaa new-model
aaa local authentication MACSEC-UPLINK authorization MACSEC-UPLINK
aaa authorization credential-download MACSEC-UPLINK local 
aaa authentication dot1x MACSEC-UPLINK local 
aaa authorization network MACSEC-UPLINK local
!
end
!

Create Local Username for 802.1x Authentication

This username will be referenced in the dot1x Cred Set section below.

This username does not need a password.

We are using local authentication.  When this user is successfully authenticated the attribute-list is applied. It's then that the MUST-SECURE attribute is applied to the MACsec Network Link.

!
conf t
aaa attribute list MUST-SECURE
  attribute type linksec-policy must-secure
!
username usr-macsec aaa attribute list MUST-SECURE
!
end
!

Create a policy map for MACsec Uplink

First off, IBNS2.0 rocks!  The flexibility is just off the charts. If your configuration is not already using IBNS 2.0 you will be prompted to enable it,  IBNS 1 is NOT supported so you must enable IBNS 2.0.

This is the policy-map that we will apply to interfaces that connect the switches.

The policy-map should be somewhat self explanatory.

Authenticate using dot1x and use the AAA AuthC list named MACSEC-UPLINK. Remember we configured that in a previous step.

In the event of dot1x failure, try again! 

When Authentication is successful implement a standard service template that enabled the 'MUST SECURE' attribute.

Note: if you don't already have IBNS 2 enabled you will be prompted to enable it in this section.

!
conf t
policy-map type control subscriber DOT1X-MUST-SECURE-UPLINK
  event session-started match-all 
    10 class always do-until-failure
      10 authenticate using dot1x aaa authc-list MACSEC-UPLINK authz-list MACSEC-UPLINK both 
  event authentication-failure match-all
    10 class always do-until-failure
      10 terminate dot1x
      20 authentication-restart 10
  event authentication-success match-all
    10 class always do-until-failure
      10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
!
end
!

Configure EAPTLS AuthC Profile and 802.1x Credential Set

In this section we enable system wide dot1x and create the authentication profiles.

I'm referencing the trustpoints in my own configuration. 

Make sure the pki-trustpoint trustpoint in your configuration references YOUR trustpoint!

!
conf t
dot1x system-auth-control
!
eap profile EAP-PROFILE
  method tls
  pki-trustpoint bot-sw
!
!
dot1x credentials DOT1X-CREDS
  username usr-macsec
  pki-trustpoint bot-sw
!
end
!

Configure the Switchport for VLAN Trunking, dot1x & MACsec Network Link

!
conf t
interface g1/0/3
  switchport 
  switchport mode trunk 
  macsec network-link 
  authentication periodic 
  authentication timer reauthenticate 1800
  access-session host-mode multi-host
  access-session closed 
  access-session port-control auto
  dot1x pae both
  dot1x credentials DOT1X-CREDS
  dot1x supplicant eap profile EAP-PROFILE
  dot1x authenticator eap profile EAP-PROFILE
  service-policy type control subscriber DOT1X-MUST-SECURE-UPLINK
!
end
!

Verification

!
show crypto pki certificates verbose trustpoint
!

This will show all possible information about the certificate.

!
show access-session interface g1/0/3 details
!

This shows a successful dot1x authentication & authorization.  This is the first thing to check.   If dot1x authentication fails then MKA will never start. 

!
show dot1x int g1/0/3 details
!

This shows some basic dot1x details.

!
show policy-map type control subscriber DOT1X-MUST-SECURE-UPLINK detail
!

This shows specifics on the policy-map, including execution, hit counts.

!
show mka session interface g1/0/3
!

CKN or Connectivity Key Name is a container for storing the Connectivity Association Key. The CKN is the same on both peers. The CKN is transmitted across the wire in clear text to the peer to assist the peer in validating the CAK.

!
show mka session interface g1/0/3 details
!

!
show mka policy
!

Find the policy you are looking for if it is not the Default Policy.  Assure the interface in question has the proper policy applied.

!
show macsec interface g1/0/3
!

Use this command to deep dive into the MACsec session statistics.

!
show authentication brief
!
show history all
!
show platform pm port-data GigabitEthernet1/0/3
!

Troubleshooting

! Debug crypto pki is not supported on C9200
debug crypto pki messages
debug crypto pki transactions
debug crypto pki validation
!
!
debug macsec
!
debug mka errors
!
debug mka events
!
debug mka linksec-interface
! *** be warned this can quickly overrun the buffer
!
debug mka macsec-interface
!

References

Cisco IOS XE Command Reference Guides for Access and Edge Routers

Cisco IOS XE Security Configuration Guide - MACsec Encryption