This procedure describes how to configure IEEE 802.1x MACsec authentication on a switch port. Unspecified parameters use their default values.
Step | Task | Command(s) |
---|---|---|
1 | Configure the Secure Connection Association Key (CAK) and Secure Connection Association Key Name (CKN) pair, which makes up the Pre-Shared Key (PSK) on each port enabled for Key Agreement Protocol (MKA) (see Setting MACsec Pre-Shared Keys (PSK) on Ports). | set macsec pre-shared-key port port-string ckn {raw hex-name | name} cak {passphrase key | raw key | encrypted key} |
2 | Optionally, modify the access control settings for unauthenticated and unsecured packets (see Setting MACsec Access Control). unauthAllowed defaults to "never"; unsecureAllowed defaults to "mkaServer". | set macsec nid {unauthallowed {never | immediate | authFail} | unsecureallowed {never | immediate | mkaFail | mkaServer}} [port-string] |
3 | Optionally, enable MACsec replay protection and set the size of the replay protection packet window (see Enabling MACsec Replay Protection). The replay protection feature is enabled by default. The window parameter defaults to 0. | set macsec secy {replay-protect {enable | disable} | window num-packets} [port-string] |
4 | Optionally, configure the MKA lifetime for the desired port (see Setting MKA Lifetime). | set macsec kay mka-life-time mka-life-time port-string |
5 | Enable the MACsec Key Agreement protocol (MKA) on the desired ports (see Enabling the MACsec Key Agreement Protocol (MKA)). | set macsec port mka {enable | disable} [port-string] |