cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
493
Views
0
Helpful
4
Replies
ablandao1
Beginner

macsec test

Hello,

 

We are proposing to use macsec as a security layer 2 protocol. For that, we want to use a couple of cisco 3560cx switches a two pc's with macsec capabilities.

 

Is it possible to use the macsec in preshared key mode between the PC and switch?

 

as per the ios manuel should be, but just wondering if someone already implemented or deployed something similar. The point is to get rid of the 802.1X needs.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_7_e/configuration_guide/b_1527e_consolidated_3560cx_2960cx_cg/b_1527e_consolidated_3560cx_2960cx_cg_chapter_01000100.html

 

Architecture would be something like this.

 

PC <-> SW <-> SW <-> PC

4 REPLIES 4
Reza Sharifi
Hall of Fame Expert

Hi,

I have never deployed macsec but it appears that you still need dot1x with Pre Shared key for authentication.

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_7_e/configuration_guide/b_1527e_consolidated_3560cx_2960cx_cg/b_1527e_consolidated_3560cx_2960cx_cg_chapter_01000100.html

HTH

Thanks for the reply.

However in the first paragraph it states as you remarked: " MKA and MACsec
are implemented after successful authentication using the 802.1x Extensible
Authentication Protocol (EAP-TLS) *OR *Pre Shared Key (PSK) framework." So
I don't think you have to use 802.1X as authentication method, it looks
like it's just an option. What would happen if you connect a device that
have not user and password?

That's the reason I asked within the forum, as I'm wondering if someone
successfully configured it.

Hi.

 

Dunno if this is exaxtly what you are asking for, Im looking into trying out MACsec switch to switch with just minimal stuff, preferable no CA,ISE.

I tried configure only MSK and nothing happened, then applyed different keys on both ends and configured without any AAA.

Link stays up, pinging SVI through trunk.

Following the configuration guide that is quite limited in specific details.

switch 3850 16.6.6 <-> switch 3650 16.6.5

 

the cts manual (Cisco TrustSec) is way more straight forward tho.

 

I have never heard of "switch to switch dot1x psk", gotta look that up if that even exist?

After some more testing I did get it to work as intended. Just configure everything in the right order.