11-28-2019 05:23 AM
Hello,
We are proposing to use macsec as a security layer 2 protocol. For that, we want to use a couple of cisco 3560cx switches a two pc's with macsec capabilities.
Is it possible to use the macsec in preshared key mode between the PC and switch?
as per the ios manuel should be, but just wondering if someone already implemented or deployed something similar. The point is to get rid of the 802.1X needs.
Architecture would be something like this.
PC <-> SW <-> SW <-> PC
11-28-2019 10:31 AM
Hi,
I have never deployed macsec but it appears that you still need dot1x with Pre Shared key for authentication.
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.
HTH
12-01-2019 10:32 PM
12-11-2019 01:48 PM
Hi.
Dunno if this is exaxtly what you are asking for, Im looking into trying out MACsec switch to switch with just minimal stuff, preferable no CA,ISE.
I tried configure only MSK and nothing happened, then applyed different keys on both ends and configured without any AAA.
Link stays up, pinging SVI through trunk.
Following the configuration guide that is quite limited in specific details.
switch 3850 16.6.6 <-> switch 3650 16.6.5
the cts manual (Cisco TrustSec) is way more straight forward tho.
I have never heard of "switch to switch dot1x psk", gotta look that up if that even exist?
12-12-2019 05:42 AM
After some more testing I did get it to work as intended. Just configure everything in the right order.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: