The Pre‐Shared Key (PSK) is the combination of the public Secure Connectivity Association Key Name (CKN) and private Secure Connectivity Association Key (CAK).
The public CKN can be specified as either a raw value between 1 and 32 octets, with each octet represented by 2 hexadecimal digits, or as an ASCII string. The raw value option allows for interoperability with other IEEE802.1X‐2010 compliant devices which support PSKs. The ASCII name option is an Extreme Networks feature which simplifies CKN entry, allowing the configuration of a human readable name rather than an obtuse octet string. The CKN is public knowledge, so a configured value is stored in non‐volatile memory and displayed in the show config macsec output exactly as it was entered via CLI.
The private CAK is 16 octets and can be specified as a raw value, as an encrypted value, or as a pass phrase. The pass phrase is a feature specific to Extreme Networks, and offers an easy way to generate 16-octet CAKs by hashing (SHA1) a secure pass phrase. The originally entered CAK pass phrase is discarded, and because the switch uses a one-way hash, the pass phrase is not recoverable.
The CAK is a secret, so a configured value is stored in non‐volatile memory and shown as an encrypted value, similar to the way the switch encrypts passwords. Encrypted values are bracketed by colons in the format :encrypted‐cak:. Use the command set macsec pre‐shared‐key port in any command mode to configure a MACsec Pre‐Shared Key for a port by specifying the CKN and CAK.