Setting MACsec Access Control
IEEE802.1X-2010 defines Network Identities (NIDs) to manage a
port‘s use of authentication credentials (EAP or PSK) and when and how port connectivity is
provided. When MKA is enabled on a port, a NID is automatically instantiated with the
following default parameters:
- useEAP—never (EAP is not supported)
- unauthAllowed—never
- unsecureAllowed—mkaServer
Use the set macsec nid
unauthallowed command in any command mode
to set access control for unauthenticated connectivity on a port. Unauthenticated refers to
the port state before MKA is successful (that is, when a port‘s peer does not have MKA enabled
or as a non-matching PSK configured).
Possible settings are:
- Never—(default) port is
down and all traffic (except for MKPDUs) is dropped
- Immediate—port is up and
all traffic is passed in the clear (no encryption)
- AuthFail—port is down
until attempt occurs to authenticate using EAP, after which port is up and traffic passes
in the clear (EAP not supported, so this value is equivalent to Never).
Use the set macsec nid
unsecureallowed command in any command
mode to set access control if the MKA Key Server does not enable MACsec (that is, MKA without
MACsec). This situation may occur if the peer supports MKA but not MACsec. MKA on Extreme
Networks MACsec-capable ports always request MACsec, but 3rd-party equipment which supports
MKA may choose to not use MACsec.
Possible settings are:
- Never—port remains down
and all traffic (except for MKPDUs) is dropped
- Immediate—port up and
all traffic is passed in the clear (no encryption) after successful EAP (EAP not
supported, so this value is equivalent to Never)
- MKAfail—port up and all
traffic is passed in the clear (no encryption) after EAP fails (EAP not supported, so this
value is equivalent to Never)
- MKAserver—(default) port
up and all traffic is passed in the clear (no encryption) if the MKA Key Server selects
MKA without MACsec protection