Both switches are IP Base and i am using Denali IOS.

The IOS is cat3k_caa-universalk9.16.03.02.SPA.bin

Any suggestions??

I cant offer anything until I lab it between 2 switches and see whats going on , your config looks ok checking the docs and I cant test this on production form obvious reasons , was hoping to test it tomorrow I have spare 38s in lab, Fridays can be quiet

It would be very helpful for me if you do that for me.

If you succeed then please inform me the exact part number of your switch, module, IOS version.

This project is very important for me. I have to do many of this config if this succeed.

Thnx once again for the replay.

Hi so I don't have the encrypt option for some reason in my syntax under the interface I need to check why that is , I booted eval licenses ipbase onto both lab switches as I only had lanbase running on them

so I set it without it but it came up as below , both 3650s 03.06.04.E

I will leave the lab running try get the encryptions working too , il try boot your image into thm see of the option is there for encrypt

conf t

int g1/0/47

cts manual

sap pmk mode-list mode-list no-encap

no propagate sgt

Switch#sh cts
Global Dot1x feature: Disabled
CTS device identity: ""
CTS caching support: disabled

Number of CTS interfaces in DOT1X mode:  0,    MANUAL mode: 2
Number of CTS interfaces in LAYER3 TrustSec mode: 0

Number of CTS interfaces in corresponding IFC state
  INIT            state:  1
  AUTHENTICATING  state:  0
  AUTHORIZING     state:  0
  SAP_NEGOTIATING state:  0
  OPEN            state:  1
  HELD            state:  0
  DISCONNECTING   state:  0
  INVALID         state:  0

CTS events statistics:
  authentication success: 0
  authentication reject : 0
  authentication failure: 0
  authentication logoff : 0
  authentication no resp: 0
  authorization success : 0
  authorization failure : 0
  sap success           : 1
  sap failure           : 0
  port auth failure     : 0

Switch#sh run int g1/0/47
Building configuration...

Current configuration : 127 bytes
!
interface GigabitEthernet1/0/47
 cts manual
  sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF
end

Switch#sh int g1/0/47
GigabitEthernet1/0/47 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 74a2.e66d.5baf (bia 74a2.e66d.5baf)

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Switch#sh int g1/0/48 | i up
GigabitEthernet1/0/48 is up, line protocol is up (connected)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
Switch#sh cts
Global Dot1x feature: Disabled
CTS device identity: ""
CTS caching support: disabled

Number of CTS interfaces in DOT1X mode:  0,    MANUAL mode: 1
Number of CTS interfaces in LAYER3 TrustSec mode: 0

Number of CTS interfaces in corresponding IFC state
  INIT            state:  0
  AUTHENTICATING  state:  0
  AUTHORIZING     state:  0
  SAP_NEGOTIATING state:  0
  OPEN            state:  1
  HELD            state:  0
  DISCONNECTING   state:  0
  INVALID         state:  0

CTS events statistics:
  authentication success: 0
  authentication reject : 0
  authentication failure: 0
  authentication logoff : 0
  authentication no resp: 0
  authorization success : 0
  authorization failure : 0
  sap success           : 1
  sap failure           : 12
  port auth failure     : 0

Switch#sh run int g1/0/48
Building configuration...

Current configuration : 146 bytes
!
interface GigabitEthernet1/0/48
 cts manual
  no propagate sgt
  sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF
end

Switch#

***************************************************************************************

Non encrypt available

Switch(config)#int g1/0/46
Switch(config-if)#cts man
Switch(config-if)#cts manual
Switch(config-if-cts-manual)#sap ?
  pmk  Pre-Master Key (PMK) to use for CTS SAP

Switch(config-if-cts-manual)#sap pmk ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  WORD  The UNENCRYPTED (cleartext) user password

Switch(config-if-cts-manual)#sap pmk testmac ?
  mode-list  List of advertised modes (prioritized from highest to lowest)
  <cr>

Switch(config-if-cts-manual)#sap pmk testmac mo
Switch(config-if-cts-manual)#sap pmk testmac mode-list ?
  no-encap  No encapsulation

Switch(config-if-cts-manual)#sap pmk testmac mode-list

SO is it working or not??

I have tried with many options but still the same error message generate.

*Jan  5 04:09:05.794: %CTS-3-PORT_AUTHORIZED_FAILED: Failed to authorize Port for int(Gi1/0/24)

I don't have any CON so i can't open a tac case. please help me to solve the issue.

Hi Mark,

I have found the problem.It will help others and save times.

You need to change the IOS which require version 3.7.4E(ED).

That will solve the MACsec problem for 3650-24TS-S

Enjoy!!!!!!

Regards,

Yasib

GREAT ...
Lets Enjoy!!!!!!

Yes it worked for me but I had not got the option for encryption but sap connection succeeded thanks for posting back your fix

Hi Mark,

Thank you for your time and help.

I have two 3650-24TD-S (IPBASE) running 3.7.4E(ED), and I also able to get the SAP connection to work but only without encryption.  I do not even get the option to add the 'gcm-encryp' option???  Mark, sounds like that is what you were seeing too?  Did you ever get encryption to work with the 3650-24TD-S?  does this platform support gcm-encryp?  

I have several 3560-X units with IPBASE that are supporting MACSEC encryiption with the 'gcm-encryp' option.

Thanks for any assistance on this.  

Tim