The MACsec Key Agreement Protocol (MKA) is used to discover remote peers attached to the same LAN, to confirm mutual possession of a CAK (as configured via PSK), and to securely distribute the secret keys (SAKs) used by MACsec for symmetric key cryptography.
When MKA is enabled port access is immediately enforced per MACsec Access Control configuration (that is, set macsec nid unauthAllowed), with the default behavior being port down and all traffic is dropped. Once MKA successfully authenticates the remote peer (using PSK credentials), elects a Key Server, and distributes a SAK, port state transitions to up and all traffic is encrypted.
When MKA is disabled the port access control is removed and unencrypted traffic resumes.