Use this command to configure the Secure Connection Association Key (CAK) and Secure Connection Association Key Name (CKN) pair which makes up the Pre‐Shared Key (PSK) on a port.
port port-string | Specifies the port the Pre‐Shared Key (CAK/CKN pair) is assigned to. |
ckn | Specifies that the following value is the Secure Connection Association Key Name for this PSK. |
raw | Raw 32 byte key name in hexadecimal format (for example: 0a3c4f...). |
name | ASCII Key name (maximum of 32 characters). |
cak | Specifies that the following value is the Secure Connection Association Key. |
passphrase | ASCII text hashed to generate a CAK (maximum of 16 characters). |
raw | Raw 16-byte CAK in hexadecimal form (for example: 0a3c4f...). |
encrypted | Encrypted form of raw CAK (generated from show config). |
key | The key value (16 bytes raw or 16 characters maximum passphrase). |
None.
All command modes.
The Pre-Shared Key (PSK) is the combination of the public Secure Connectivity Association Key Name (CKN) and private Secure Connectivity Association Key (CAK).
The public CKN can be specified as either a raw value between 1 and 32 octets, with each octet represented by 2 hexadecimal digits, or as an ASCII string. The raw value option allows for interoperability with other IEEE802.1X-2010 compliant devices which support PSKs. The ASCII name option is an Extreme Networks feature which simplifies CKN entry, allowing the configuration of a human readable name rather than an obtuse octet string. The CKN is public knowledge, so a configured value is stored in non-volatile memory and displayed in the show config dot1x output exactly as it was entered via CLI.
The private CAK can be specified as an ASCII pass phrase, as a 16 octet raw value, or as an encrypted value. When entered as an ASCII pass phrase value, the switch performs an SHA1 hash. The originally entered CAK pass phrase is discarded. The CAK is a secret, so a configured value is stored in nonvolatile memory and shown as an encrypted value, similar to the way the switch encrypts passwords. Encrypted values are bracketed by colons in the format :encrypted-cak:. Use the command set macsec pre-shared-key port in any command mode to configure a MACsec Pre-Shared Key for a port by specifying the CKN and CAK.
This example shows how to set the CKN to the name "blue" and set the CAK to the ASSCII passphrase “My cool passphrase” for port "ge.1.10":
System(rw)->set macsec pre-shared-key port ge.1.10 ckn blue cak “My cool passphrase”
This example shows how to set the CKN to the raw value of "5ea6012e6001b82434eb85f7bde3e135" and the CAK to the raw value of "4f12208bc364d8c522af6f59b4b4a2aa" for ports "ge.1.1" through "ge.1.10":
System(rw)->set macsec pre-shared-key port ge.1.1-10 ckn 5ea6012e6001b82434eb85f7bde3e135 cak 4f12208bc364d8c522af6f59b4b4a2aa
This example shows how to set the CKN to the name "blue" and the CAK to the encrypted value as displayed in the show config of ":d371cf33640ab20737f7eef41364c50afbd10cd6d04e8262:" for port "ge.1.1":
System(rw)->set macsec pre-shared-key port ge.1.1 ckn blue cak encrypted :d371cf33640ab20737f7eef41364c50afbd10cd6d04e8262: