Configure and Troubleshoot MKA Using Secure Client 5
Available Languages
Contents
Introduction
This document describes the way in which you can configure MACsec encryption in an endpoint using Secure Client 5 as supplicant.
Prerequisites
Cisco recommends knowledge in these topics:
-
Identity Services Engine
-
802.1x and Radius
-
MACsec MKA encryption
-
Secure Client version 5 (Formerly known as Anyconnect)
Components Used
The information in this document is based on these software and hardware versions:
-
Identity Services Engine (ISE) version 3.3
-
Catalyst 9300 version 17.06.05
-
Cisco Secure Client 5.0.4032
Background information
MACSec (Media Access Control Security) is a network security standard that provides encryption and protection for Ethernet frames at layer 2 of the OSI model (Data Link), defined by the IEEE as a standard denominated 802.1AE.
MACSec supplies this encryption in a point-to-point connection that can be switch-to-switch or switch-to-host connections, hence the coverage of this standard is limited to wired connections.
This standard encrypts the entire data except for the Source and Destination MAC address of frames that are transmitted in a layer 2 connection.
The MACsec Key Agreement (MKA) protocol is the mechanism from where MACsec peers are going to negotiate the security keys that are needed to secure the link.
Configure
Network Diagram
Note: This documentation considers that you have already a set-up of rules configured and working for Radius Authentication for the PCs devices and the Cisco IP phone. To setup a configuration from scratch, please refer to ISE Secure Wired Access Prescriptive Deployment Guide to review the configuration in Identity Services Engine and Switch for Identity-Based Network Access.
Setup of policies on ISE
The first task is to configure the corresponding authorization profiles that are applied for both PCs displayed in the preceding diagram (as well as the Cisco IP Phone).
In this hypothetical scenario, the PCs are going to use 802.1X protocol as the authentication method and the Cisco IP Phone uses Mac Address Bypass (MAB).
ISE communicates with the switch through Radius protocol about the attributes that the switch needs to enforce in the interface from where the endpoint is connected through a Radius session.
For MACsec encryption in hosts, the attribute required is cisco-av-pair = linksec-policy, which has these 3 possible values:
-
Should-not-Secure: The switch does not perform MKA encryption in the interface where the Radius session is happening.
-
Must-Secure: The switch needs to enforce encryption in the traffic linked with the Radius session, if the MKA session fails or has a timeout the connection is considered as authorization failure, there is a retrial of MKA session establishment.
-
Should-Secure: The switch attempts to perform MKA encryption, if the MKA session linked to the Radius session is successful the traffic is encrypted, if the MKA fails or times out, the switch allows that unencrypted traffic linked to that Radius session.
Step 1. As considered in the previous information, in both PCs you can enforce a should-secure MKA policy to have flexibility in case a machine with no MKA capabilities connects to the interface Ten 1/0/1.
As an option you can configure a policy for PC2 that enforces a must-secure policy.
In this example configure the policy for the PCs as in Policy > Policy Elements > Results > Authorization Profiles then +Add or Edit an existing profile
Step 2. Complete or customize the fields required for the profile.
Ensure that in Common Tasks you have selected MACSec Policy and the corresponding policy to apply.
Scroll down and Save the configuration.
Step 3. Assign the corresponding authorization profile to the authorization rules that are hit by the devices.
This action needs to be done in Policy > Policy Sets > (Select Policy Set assigned) > Authorization Policy.
Associate the authorization rule with the authorization profile with MACsec Settings. Scroll down Save your configuration.
Setup of MKA in Catalyst 9300
Step 1. Configure a new MKA policy as this example suggests:
!
mka policy MKA_PC
key-server priority 0
no delay-protection
macsec-cipher-suite gcm-aes-128
confidentiality-offset 0
sak-rekey on-live-peer-loss
sak-rekey interval 0
no send-secure-announcements
no include-icv-indicator
no use-updated-eth-header
no ssci-based-on-sci
!
Step 2. Enable MACsec encryption in the interface where the PCs are connected.
!
interface TenGigabitEthernet1/0/1
macsec
mka policy MKA_PC
!
Note: For further information related to the commands and options in MKA configuration, please review the Security configuration guide corresponding the version of switch you use. In this scenario for this example, Security Configuration Guide, Cisco IOS XE Bengaluru 17.6.x (Catalyst 9300 Switches)
Setup of MKA using Network Access Manager Profile Editor.
Step 1. Download and open the Profile Editor from the Cisco’s download website that matches the version of Secure Client that you are using.
Once you have installed this program in your computer, proceed to open the Cisco Secure Client Profile Editor – Network Access Manager.
Step 2. Select the option File > Open.
Step 3. Select the folder system that is being displayed in this image. Within this folder open the file named configuration.xml.
Step 4. Once the file has been loaded by the Profile Editor, select the option Authentication Policy, and ensure that the option related to 802.1x with MACSec is enabled.
Step 5. Proceed to the section Networks, in this part you can Add a new profile for a wired connection or Edit the default wired profile that is installed with Secure Client 5.0 .
In this scenario, we are going to Edit the existing wired profile.
Step 6. Configure the profile. In the section Security Level, adjust the Key Management to use MKA followed by an encryption AES GCM 128.
Adjust the other parameters for the authentication dot1x and policies as well.
Step 7. Configure the remaining sections concerning Connection Type, User Auth and Credentials.
Those sections vary depending upon the authentication settings that you select in the Security Level section.
When you finish with the configurations select the option Done.
For this scenario we are using Protected Extensible Authentication Protocol (PEAP) with user credentials.
Step 8. Navigate to the menu File. Proceed with Save as option.
Name the file as configuration.xml and save in a different folder from ProgramData\Cisco\Cisco Secure Client\Network Access Manager\system.
In this example the file was saved in the Documents folder. Save the profile.
Step 8. Proceed to the profile location, copy the file, and replace the file that is contained in the folder ProgramData\Cisco\Cisco Secure Client\Network Access Manager\system.
Select the Replace the file in destination option.
Step 9. To load the profile modified in the Security Client 5.0, select with a right click the Secure Client icon located in the right lower taskbar of your Windows machine.
Perform a Network Repair.
Note: All the networks configured through the profile editor have privileges of Administrator Network, hence the users are not able to customize/change the content that you configured using this tool.
Setup of MKA networks using Network Access Manager (optional).
Step 1. As an alternative to the MKA setup using the Profile Editor, you can add networks without the use of this tool.
From the Secure Client suite select the gear icon.
Step 2. In the new window displayed, select the option Network.
In the Configuration section select the option Add to ingress a network MKA capable with privileges User Network.
Step 3. In the new configuration window, set up the characteristics of your connection and name the network.
When finished select the OK button.
Verify
Validation on ISE
In ISE, upon the completion of the configuration of this flow, you see the device being authenticated and authorized in Livelogs.
Navigate in the Details of the authentication and the Result section.
The attributes set in the authorization profile are sent to the Network Access Device (NAD) as well as the consumption of one Essential license.
Validation on the Catalyst switch.
These commands can be used to validate the proper functionality of this solution.
switch1#show mka policy
switch1#show mka session
switch1#show authentication session interface <interface_ID> detail
Validation on Secure Client.
The authentication is successful with the profile that you created with MACsec encryption. If you click in the engine icon, more information can be displayed.
In the menu displayed here for the Secure Client, in the section Network Access Manager > Statistics, you are able to see the Encryption and the corresponding MACsec configuration.
The frames received and sent increases as the encryption is being performed at layer 2.
Troubleshoot
Note: This section covers the troubleshooting part related to MKA problems that can emerge. If you face an authentication or authorization failure, please refer to ISE Secure Wired Access Prescriptive Deployment Guide - Troubleshooting to investigate further as this guide assumes the authentications are working fine without MACsec encryption.
Cisco Secure Endpoint
- Enable DART module in the Secure Endpoint suite.
- In this menu, enable Extended Logging to gather more data about the user MKA connection. You can additionally enable a packet capture that is contained in the DART bundle.
- Collect DART bundle to proceed with analysis of configuration.xml and Network access Manager. Refer to the documentation Run DART to Gather Data for Troubleshooting
This example displays how the packets are seen as the information between the host and the switch is encrypted :
From the DART bundle, we can find useful information for the authentication 802.1X and the MKA session in the log named NetworkAccessManager.txt.
This information is displayed in a successful Authentication with MKA encryption.
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: PORT (1) net: RECV (status: UP, AUTO) (portMsg.c 709)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) RECEIVED SUCCESS (dot1x_util.c 326)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) current state = AUTHENTICATING (dot1x_sm.c 323)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) S_enterStateAux called with state = AUTHENTICATING (dot1x_sm.c 142)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) staying in 802.1x state: AUTHENTICATING (dot1x_sm.c 146)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) smTimer: sec=30 (dot1x_util.c 454)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) eap_type<0>, lengths<4,1496> (dot1x_proto.c 90)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) smTimer: paused (dot1x_util.c 484)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: EAP (0) Received EAP-Success. (eap_auth_client.c 835)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: EAP (0) tlsAuthOnAuthEnd: clear TLS session (eap_auth_tls_c.c 265)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: EAP (0) tlsAuthOnAuthEnd: successful authentication, save pointer for TLS session used (eap_auth_tls_c.c 273)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: EAP (3) new credential list saved (eapRequest.c 1485)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: EAP (3) EAP status: AC_EAP_STATUS_EAP_SUCCESS (eapMessage.c 79)
%csc_nam-7-DEBUG_MSG: %[tid=9028]: EAP-CB: EAP status notification: session-id=1, handle=04B2DD44, status=AC_EAP_STATUS_EAP_SUCCESS
%csc_nam-7-DEBUG_MSG: %[tid=9028]: EAP-CB: sending EapStatusEvent...
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: PORT (2) EAP response received. <len:400> <res:2> (dot1x_proto.c 136)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: EAP: ...received EapStatusEvent: session-id=1, EAP handle=04B2DD44, status=AC_EAP_STATUS_EAP_SUCCESS
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) smTimer: activated (dot1x_util.c 503)
%csc_nam-6-INFO_MSG: %[tid=2716]: EAP: Eap status AC_EAP_STATUS_EAP_SUCCESS.
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) current state = AUTHENTICATING (dot1x_sm.c 323)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: EAP: processing EapStatusEvent in the subscriber
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) dot1x->eapSuccess is True (dot1x_sm.c 352)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Auth[wired:user-auth]: Enabling fast reauthentication
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) SUCCESS (dot1x_sm.c 358)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) S_enterStateAux called with state = AUTHENTICATED (dot1x_sm.c 142)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: STATE (2) S_enterStateAux calling sm8Event8021x due to auth success (dot1x_sm.c 207)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) smTimer: disabled (dot1x_util.c 460)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (0) NASP: dot1xAuthSuccessEvt naspStopEapolAnnouncement (dot1x_main.c 679)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: NASP (0) >> NASP: naspStopEapolAnnouncement (nasp.c 900)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: NASP (0) << NASP: naspStopEapolAnnouncement. err = 0 (nasp.c 910)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: 8021X (2) dot1x->config.useMka = 1 (dot1x_main.c 829)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: INF (2) >> MKA: StartSession (mka.c 511)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) MKA: bUseMka = 1, bUseMacSec = 1706033334, MacsecSupportedCiphersMask = 0x498073ad, ePortSecurePolicy = 0 mkaKeyServerWaitTime = 0 (mka.c 514)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) >> MKA: InitializeContext (mka.c 1247)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: INF (2) MKA: Changing state to Unconnected (mka.c 1867)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: INF (2) MKA: Changing Sak State to Idle (mka.c 1271)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Auth[wired:user-auth]: Fast reauthentication enabled on authentication success
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) << MKA: InitializeContext (mka.c 1293)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) MKA: Changing state to Need Server (mka.c 1871)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Auth[wired:user-auth]: Sending NOTIFICATION__SUCCESS to subscribers
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: INF (2) >> MKA: CreateKeySet (mka.c 924)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Network auth request NOTIFICATION__SUCCESS
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: NASP (0) >> NASP: naspGetNetCipherSuite (nasp.c 569)
%csc_nam-6-INFO_MSG: %[tid=9028][comp=SAE]: MKA (2) MKA: Key length is 16 bytes (mka.c 954)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Auth[wired:user-auth]: Finishing authentication
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) MKA: MyMac (mka.c 971)
%csc_nam-7-DEBUG_MSG: %[tid=2716]: Auth[wired:user-auth]: Authentication finished
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: STATUS - AC_PORT_STATUS_EAP_SUCCESS (portWorkList.c 70)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: complete (portWorkList.c 130)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: STATUS - AC_PORT_STATUS_MKA_UNCONNECTED (portWorkList.c 70)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: complete (portWorkList.c 130)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: STATUS - AC_PORT_STATUS_MKA_NEED_SERVER (portWorkList.c 70)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: API (1) event: complete (portWorkList.c 130)
%csc_nam-7-DEBUG_MSG: %[tid=8140][comp=SAE]: NET (0) SscfCallback(1): SSCF_NOTIFICATION_CODE_SEND_PACKET_COMPLETE sendId(74476) (cimdIo.cpp 4766)
%csc_nam-7-DEBUG_MSG: %[tid=8140][comp=SAE]: NET (0) CIMD Event: evtSeq#=0 msg=4 ifIndex=1 len=36 (cimdEvt.c 622)
%csc_nam-7-DEBUG_MSG: %[tid=8140][comp=SAE]: NET (1) cdiEvt:(3,0) dataLen=4 (cimdEvt.c 358)
%csc_nam-7-DEBUG_MSG: %[tid=8140][comp=SAE]: NET (1) cdiEvt:(3,1) dataLen=102 (cimdEvt.c 358)
%csc_nam-7-DEBUG_MSG: %[tid=8140][comp=SAE]: NET (1) netEvent(1): Recv queued (netEvents.c 91)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: PORT (1) net: RECV (status: UP, AUTO) (portMsg.c 709)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) >> MKA: EapolInput (mka.c 125)
%csc_nam-7-DEBUG_MSG: %[tid=9028][comp=SAE]: MKA (2) MKA: MKPDU In (mka.c 131)
Cisco IOS Troubleshooting
These commands can be implemented in the Network Access Device (NAD) to review the MKA encryption between the platform and the supplicant.
For further information on the commands, review the corresponding configuration guide of the platform used as NAD.
#show authentication session interface <interface_ID> detail
#show mka summary
#show mka policy
#show mka session interface <interface_ID> detail
#show macsec summary
#show macsec interface <interface_ID>
#debug mka events
#debug mka errors
#debug macsec event
#debug macsec error
These are debugs of one successfull MKA connection to a host. You can use this as a reference comes up :
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/0/1, changed state to down
Macsec interface TenGigabitEthernet1/0/1 is UP
MKA-EVENT: Create session event: derived CKN 9F0DC198A9728FB3DA198711B58570E4, len 16
MKA-EVENT EC000025: SESSION START request received...
NGWC-MACSec: pd get port capability is invoked
MKA-EVENT: New MKA Session on Interface TenGigabitEthernet1/0/1 with Physical Port Number 9 is using the "MKA_PC" MKA Policy, and has MACsec Capability "MACsec Integrity, Confidentiality, & Offset" with Local MAC ac7a.5646.4d01, Peer MAC bc4a.5602.ac25.
MKA-EVENT: New VP with SCI AC7A.5646.4D01/0002 on interface TenGigabitEthernet1/0/1
MKA-EVENT: Created New CA 0x80007F30A6B46F20 Participant on interface TenGigabitEthernet1/0/1 with SCI AC7A.5646.4D01/0002 for Peer MAC bc4a.5602.ac25.
%MKA-5-SESSION_START: (Te1/0/1 : 2) MKA Session started for RxSCI bc4a.5602.ac25/0000, AuditSessionID C5AA580A00000046CE64E059, AuthMgr-Handle EC000025
MKA-EVENT: Started a new MKA Session on interface TenGigabitEthernet1/0/1 for Peer MAC bc4a.5602.ac25 with SCI AC7A.5646.4D01/0002 successfully.
MKA-EVENT bc4a.5602.ac25/0000 EC000025: FSM (Init MKA Session) - Successfully derived CAK.
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Successfully initialized a new MKA Session (i.e. CA entry) on interface TenGigabitEthernet1/0/1 with SCI AC7A.5646.4D01/0002 and CKN 9F0DC198...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: FSM (Derive KEK/ICK) - Successfully derived KEK...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: FSM (Derive KEK/ICK) - Successfully derived ICK...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: New Live Peer detected, No potential peer so generate the first SAK.
MKA-EVENT bc4a.5602.ac25/0000 EC000025: >> FSM - Generate SAK for CA with CKN 9F0DC198 (Latest AN=0, Old AN=0)...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Generation of new Latest SAK succeeded (Latest AN=0, KN=1)...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: >> FSM - Install RxSA for CA with CKN 9F0DC198 on VP with SCI AC7A.5646.4D01/0002 (Latest AN=0)...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Clean up the Rx for dormant peers
MACSec-IPC: send_xable send msg success for switch=1
MACSec-IPC: blocking enable disable ipc req
MACSec-IPC: watched boolean waken up
MACSec-IPC: geting switch number
MACSec-IPC: switch number is 1
MACSec-IPC: create_tx_sc send msg success
Send create_tx_sc to IOMD successfully
alloc_cache called TxSCI: AC7A56464D010002 RxSCI: BC4A5602AC250000
Enabling replication for slot 1 vlan 330 and the ref count is 1
MACSec-IPC: vlan_replication send msg success
Added replication for data vlan 330
MACSec-IPC: geting switch number
MACSec-IPC: switch number is 1
MACSec-IPC: create_rx_sc send msg success
Sent RXSC request to FED/IOMD
MACSec-IPC: geting switch number
MACSec-IPC: switch number is 1
MACSec-IPC: install_rx_sa send msg success
Sent ins_rx_sa to FED and IOMD
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Requested to install/enable new RxSA successfully (AN=0, KN=1 SCI=BC4A.5602.AC25/0000)
%LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan330, changed state to up
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Sending SAK for AN 0 resp peers 0 cap peers 1
MKA-EVENT bc4a.5602.ac25/0000 EC000025: SAK Wait Timer started for 6 seconds.
MKA-EVENT bc4a.5602.ac25/0000 EC000025: (KS) Received new SAK-Use response to Distributed SAK for AN 0, KN 1, Latest Key MI 9B0F8380A5697DD4C3D50E42.CKN 9F0DC198
MKA-EVENT bc4a.5602.ac25/0000 EC000025: (KS) All 1 peers with the required MACsec Capability have indicated they are receiving using the new Latest SAK - install/enable TxSA for AN 0, KN 1, Latest Key MI 9B0F8380A5697DD4C3D50E42.
MKA-EVENT: Reqd to Install TX SA for CA 0x80007F30A6B46F20 AN 0 CKN 9F0DC198 - on int(TenGigabitEthernet1/0/1)...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: >> FSM - Install TxSA for CA with CKN 9F0DC198 on VP with SCI AC7A.5646.4D01/0002 (Latest AN=0)...
MACSec-IPC: geting switch number
MACSec-IPC: switch number is 1
MACSec-IPC: install_tx_sa send msg success
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Before sending SESSION_SECURED status - SECURED=false, PREVIOUSLY_SECURED=false, SAK_REKEY=false, CAK_REKEY=false, OLD_CA=false, NEW_CA=false, CKN=9F0DC198...
MKA-EVENT bc4a.5602.ac25/0000 EC000025: Successfully sent SECURED status for CA with CKN 9F0DC198.
MKA-EVENT: Successfully updated the CKN handle for interface: TenGigabitEthernet1/0/1 with 9F0DC198 (if_num: 9).
%MKA-5-SESSION_SECURED: (Te1/0/1 : 2) MKA Session was secured for RxSCI bc4a.5602.ac25/0000, AuditSessionID C5AA580A00000046CE64E059, CKN 9F0DC198A9728FB3DA198711B58570E4
MKA-EVENT: MSK found to be same while updating the MSK and EAP Session ID in the subblock
MKA-EVENT bc4a.5602.ac25/0000 EC000025: After sending SESSION_SECURED status - SECURED=true, PREVIOUSLY_SECURED=true, SAK_REKEY=false, CAK_REKEY=false, OLD_CA=false, NEW_CA=false, CKN=9F0DC198...
Identity Services Engine (ISE) Troubleshooting
The troubleshooting related to this feature is limited to the delivery of the cisco-av-pair attribute linksec-policy=should-secure.
Ensure that the authorization result is sending that information to the Radius session linked to the switchports where the devices are being connected.
For further authentication analysis on ISE refer to Troubleshoot and Enable Debugs on ISE
Common Problems
Cipher mismatch
This log can be seen in the MKA debugs in the NAD.
MKA-4-MKA_MACSEC_CIPHER_MISMATCH: (Te1/0/1 : 30) Lower strength MKA-cipher than macsec-cipher for RxSCI bc4a.5602.ac25/0000, AuditSessionID C5AA580A00000017C3550E24, CKN CKNID
The first thing to verify in this scenario is that the ciphers configured in the MKA policy in the switch and in the Secure Client profile match.
For the case of AES-GCM-256 encryption, these requirements need to be met as per the documentation Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5
Inability to save the configuration.xml.
This problem related to Profile Write Error is solved by saving the configuration.xml (as described earlier) named Setup of MKA using Network Access Manager Profile Editor.
The error is related that the file configuration.xml in used cannot be modified, hence you need to save the file in another location to proceed next with the replacement of the profiles.
Related information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
10-Aug-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)