Feedback
Contents
- eEdge Integration with MACsec
- Finding Feature Information
- Prerequisites for eEdge Integration with MACsec
- Restrictions for eEdge Integration with MACsec
- Information About eEdge Integration with MACsec
- Overview of MACsec
- MACsec Standard Encryption
- EAP Implementation of MKA
- Integrating eEdge with MACsec
- How to Configure eEdge Integration with MACsec
- Integrating eEdge with MACsec
- Identifying Link Layer Security Failures
- Configuration Examples for eEdge Integration with MACsec
- Example: Integrating eEdge with MACsec
- Example: Identifying Linksec Failures
- Additional References for eEdge Integration with MACsec
- Feature Information for eEdge Integration with MACsec
eEdge Integration with MACsec
The Media Access Control Security (MACsec) standard is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. The eEdge Integration with MACsec feature allows you to integrate the MACsec standard with enterprise edge (eEdge) devices to enhance Session Aware Networking capabilities. Session Aware Networking provides a policy and identity-based framework for edge devices to deliver flexible and scalable services to subscribers.
- Finding Feature Information
- Prerequisites for eEdge Integration with MACsec
- Restrictions for eEdge Integration with MACsec
- Information About eEdge Integration with MACsec
- How to Configure eEdge Integration with MACsec
- Configuration Examples for eEdge Integration with MACsec
- Additional References for eEdge Integration with MACsec
- Feature Information for eEdge Integration with MACsec
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for eEdge Integration with MACsec
- The Media Access Control Security (MACsec) standard is supported only in single-host and multihost modes. If a link layer security policy is configured as must-secure and the host mode is not configured as a single host or a multihost, the connection is closed.
- The MACsec standard is not supported in multi-authentication mode.
- The MACsec standard supports the 802.1AE encryption with MACsec Key Agreement (MKA) only on downlink ports for encryption between a MACsec-capable device and host devices.
Information About eEdge Integration with MACsec
Overview of MACsec
Media Access Control Security (MACsec) is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Implementing the MACsec encryption standard enables support for the 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between a MACsec-capable device and host devices. The MACsec-capable device also supports MACsec link layer device-to-device security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security includes both packet authentication between devices and MACsec encryption between devices (encryption is optional).
MACsec Standard Encryption
The Media Access Control Security (MACsec) standard provides data link layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) protocol provides the required session keys and manages the encryption keys. MKA and MACsec are implemented after a successful authentication by using the 802.1X Extensible Authentication Protocol (EAP) framework. Only host-facing links (links between network access devices and endpoint devices such as a PC or an IP phone) can be secured using MACsec.
A device that uses MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the client. MACsec frames are encrypted and protected with an integrity check value (ICV). When the device receives frames from the client, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The device compares the calculated value of the ICV to the ICV within the frame. If they are not identical, the frame is dropped. The device also encrypts and adds an ICV to any frame that is sent over a secured port (the access point used to provide the secure MAC service to a client) using the current session key.
The MKA protocol manages the encryption keys used by the underlying MACsec protocol. The basic requirements of MKA are defined in 802.1X-2010. The MKA protocol extends 802.1X to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by peers.
EAP Implementation of MKA
The Extensible Authentication Protocol (EAP) framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session key (MSK) that is shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the device is the authenticator, it is also the key server, generating a random 128-bit secure association key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the device sends periodic transports to the partner at a default interval of 2 seconds.
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes and no MKPDU is received from a participant. For example, if a client disconnects, the participant on the device continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from the client.
Integrating eEdge with MACsec
In enterprise edge (eEdge) devices the encryption protocol is implemented as a session manager client and an Enterprise Policy Manager (EPM) plugin.
When you implement EPM plugin and the session manager client, the data link layer security is implemented as an EPM feature, which returns an asynchronous result to EPM when authentication is successful.
When the data link layer security user profile is applied and sessions are configured as either must-secure or should-secure using the linksec policy {must-secure | should-secure} command, the MACsec Key Agreement (MKA) processing starts.
The Media Access Control Security (MACsec) encryption standard is a data link layer security protocol. On eEdge devices, you must explicitly configure the protocol within a service template and an associated policy action.
The eEdge Integration with MACsec feature enables integrating the MACsec standard on a device using a service template.
How to Configure eEdge Integration with MACsec
Integrating eEdge with MACsec
SUMMARY STEPS
1. enable
2. configure terminal
3. service-template template-name
4. linksec policy {must-not-secure | must-secure | should-secure}
5. exit
6. policy-map type control subscriber control-policy-name
7. event authentication-success [match-all | match-any]
8. priority-number class {control-class-name |always} [do-all | do-until-failure | do-until-success]
9. action-number activate {policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]}
10. end
DETAILED STEPSIdentifying Link Layer Security Failures
SUMMARY STEPS
1. configure terminal
2. class-map type control subscriber {match-all | match-any | match-none} control-class-name
3. match authorization-failure {domain-change-failed | linksec-failed}
4. exit
5. policy-map type control subscriber control-policy-name
6. event authentication-failure [match-all | match-any]
7. priority-number class {control-class-name | always} [do-all | do-until-failure | do-until-success]
8. end
DETAILED STEPSConfiguration Examples for eEdge Integration with MACsec
Example: Integrating eEdge with MACsec
Device> enable Device# configure terminal Device(config)# service-template dot1x-macsec-policy Device(config-service-template)# linksec policy must-secure Device(config-service-template)# exit Device(config)# policy-map type control subscriber cisco-subscriber Device(config-event-control-policymap)# event authentication-success match-all Device(config-class-control-policymap)# 10 class always do-until-failure Device(config-action-control-policymap)# 10 activate service-template dot1x-macsec-policy Device(config-action-control-policymap)# endExample: Identifying Linksec Failures
Device# configure terminal Device(config)# class-map type control subscriber match-all linksec-failure Device(config-filter-control-classmap)# match authorization-failure linksec-failed Device(config-class-control-classmap)# exit Device(config)# policy-map type control subscriber cisco-subscriber Device(config-event-control-policymap)# event authentication-failure match-all Device(config-class-control-policymap)# 10 class linksec-failed do-until-failure Device(config-action-control-policymap)# endAdditional References for eEdge Integration with MACsec
Technical Assistance
Description Link The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature Information for eEdge Integration with MACsec
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for eEdge Integration with MACsec Feature Name
Releases
Feature Information
eEdge Integration with MACsec
Cisco IOS Release 15.2(1)E
The eEdge Integration with MACsec feature allows you to integrate the MACsec standard with enterprise edge (eEdge) devices to enhance Session Aware Networking capabilities.
The following commands were introduced or modified: linksec policy, match authorization-failure.