In order to secure the FA communication in terms of data integrity and authenticity, a keyed-hash message authentication code transmitted with FA TLV data is used to protect all FA signaling exchanges. The standard HMAC-SHA256 algorithm is used to calculate the message authentication code (digest) involving a cryptographic hash function (SHA-256) in combination with a shared secret key. The key is symmetric (known by both source and destination parties). By default, FA message authentication is enabled and a default key is defined to provide secure communication out-of-the-box.
You can configure message authentication status and authentication keys on a per-port basis.
When FA message authentication is enabled, the FA key (default or configured) is used to generate a Hash-based Message Authentication Code (HMAC) digest that is included in all FA TLVs (the FA Element TLV and the FA I-SID/VLAN Assignment TLV). Upon receipt, the HMAC digest is recomputed for the TLV data and compared against the digest included in the TLV. If the digests are the same, the data is valid. If not, the data is considered invalid and is ignored.
The FA secure communication setting (enabled/disabled) and the symmetric key data are maintained across resets and restored during FA initialization.
Multiple authentication key support provides support for authentication using multiple keys, a user-defined key and a default key. Key usage can be restricted. Only the user-defined key (strict key-mode) or both the user-defined key followed if necessary by the default key (standard key-mode) can be used for authenticating messages. By default, only the user-defined key (strict key-mode) is used for authentication.
Message authentication status, authentication key and key-mode settings are maintained on a per-port basis.
Information related to authentication failures is passed to the EAP/NEAP agent for forwarding to a FA policy server for potential processing when the interface on which the FA Client is discovered is EAP/NEAP enabled.
For FA Clients connected behind the ISW FA Client, ingress interface, element type, authentication status, and related key information can be provided for additional upstream client processing.