Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
2
Replies

Issue with Catalyst 9300 and GCM-AES-256 for MACSec switch-to-host

raulantoniorz91
Level 1
Level 1

‎07-31-2024 02:11 PM - edited ‎07-31-2024 02:12 PM

Hi, I'm trying to use GCM-AES-256 with Catalyst 9300 and MACSec. Tested with default MKA policy that uses GCM-AES-128 and everything works fine, it gets authenticated with ISE and I can see MKA session secured in switch. When changed encryption algorithm in switch and Secure Client profile to use only GCM-AES-256 it gets authenticated in ISE but then switch shows following errors:

 
Jul 17 22:47:53.048: %MKA-4-KEEPALIVE_TIMEOUT: (Gi1/0/6 : 24) Peer has stopped sending MKPDUs for RxSCI 4cd7.1734.0477/0000, AuditSessionID 63000B0A00000041C2DD406A, CKN 5398E19B67FA3DBBD94A5D60F75EB021
Jul 17 22:47:53.048: %MKA-4-SESSION_UNSECURED: (Gi1/0/6 : 24) MKA Session was stopped by MKA and not secured for RxSCI 4cd7.1734.0477/0000, AuditSessionID 63000B0A00000041C2DD406A, CKN 5398E19B67FA3DBBD94A5D60F75EB021
Jul 17 22:47:53.052: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (4cd7.1734.0477) on Interface GigabitEthernet1/0/6 AuditSessionID 63000B0A00000041C2DD406A. Failure Reason: Linksec Failure.
Jul 17 22:47:53.053: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (4cd7.1734.0477) on Interface GigabitEthernet1/0/6 AuditSessionID 63000B0A00000041C2DD406A. Failure Reason: Linksec Failure.
 
After that error messages, PC tries to authenticate with MAB, next method available. We tested with two differents PCs and Windows versions, 10 and 11, and we got same result.
 
Switch IOS-XE version is 17.12.03. There is MKA configuration for switch-to-switch MACSec, but it use different  MKA Policy.
 
Double checked switch and it has Network Advantage licensing to enable GCM-AES-256.
 
What could be the issue?
 
Configuration in port and MKA policy
interface GigabitEthernet1/0/6
 description ***************PRUEBAS GJ DOMINIO***********
 switchport access vlan 113
 switchport mode access
 switchport voice vlan 303
 device-tracking attach-policy MERAKI_POLICY
 ip arp inspection limit rate 20
 macsec
 authentication event fail action next-method
 authentication event server dead action authorize vlan 113
 authentication event server dead action authorize voice
 authentication event no-response action authorize vlan 113
 authentication event server alive action reinitialize
 authentication event linksec fail action next-method
 authentication open
 authentication linksec policy must-secure
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 mka policy mka-256-macsec
 spanning-tree portfast
 spanning-tree bpduguard enable
end

CATSW-C9300-TEST#show run | sec mka
key chain mka-keys macsec
mka policy MKA-POLICY
 key-server priority 30
 macsec-cipher-suite gcm-aes-256
 sak-rekey interval 65535
mka policy mka-256-macsec !This is the MKA policy for MACSec switch-to-host
 macsec-cipher-suite gcm-aes-256
Labels:
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎08-01-2024 12:03 AM

 

 - Make sure that the client's NIC driver is up to date  , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

raulantoniorz91
Level 1
Level 1
In response to marce1000

‎08-01-2024 06:27 PM

Hi, Yes, it's updated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card