MACsec provides secure communication on wired networks; it encrypts each packet on the wire so that communication cannot be monitored. There are 2 deployment types:- Switch-host (user facing/downlink) MACsec or Switch-to-Switch MACsec.
When using Switch-to-host MACsec a supplicant that supports 802.1x with MACsec is required, Cisco AnyConnect/Secure Client supports this functionality. When AnyConnect is configured with MACsec it authenticates the user/computer using 802.1x and then encrypts all traffic using MACsec that is sent to the directly attached Access Layer switch. Once the packet has been received by the Access Layer switch the packet is decrypted, this allows the possibility to apply QoS polices or monitor with Netflow. The switch could then route packet in clear text or if switch-to-switch MACsec is enabled re-encrypt the traffic.
Switch-to-Switch MACsec secures the packets on a hop by hop basis, decrypting and encrypting on each network device (meaning all traffic inside the switches are in clear text). The MACsec sessions are completely independent as they are routed through the network.
MACSec using the following protocols:-
- EAP (Extensible Authentication Protocol) – this is used by the supplicant (AnyConnect) and the authenticator (the switch) to negotiate the EAP authentication method and MACsec association.
- EAP Method – protocol that defines the authentication method
- MKA (MACsec Key Agreement) – protocol that discovers the MACsec peers and negotiates the keys
- EAPoL (EAP over LAN) – encapsulation for EAP from the supplicant to the switch
- RADIUS – the authentication server
This post will describe how to configure a Cisco Catalyst 3650 switch and the AnyConnect client in order to use Switch-to-host MACsec to secure communication between the client computer and the Access Layer Switch. ISE is required to authenticate the user/computer.
ISE Configuration
After successful 802.1x authentication, MACsec is initiated and a MACsec policy is applied, there are 3 MACsec policies:-
- Must not secure
- Should Secure
- Must Secure
As standard on a Cisco switch the local MACsec policy is Should Secure, this means the switch will attempt MKA and if successful will encrypt the traffic, if MKA times out or fails it will still permit unencrypted traffic. This may not be desirable, so ISE can be configured to send an AV (attribute value) for Must Secure on successful authorization.
- Navigate to Policy > Policy Elements > Authorization Profiles
- Click Add to create a new Authorization Profile
- Name the Authorization Profile appropriately, e.g. MACSec
- Under the Common Tasks section tick MACSec Policy, select must-secure
- Click Save
- Navigate to Policy > Policy Sets > <Your dot1x policy set>
- Modify your existing Authorization Policy rules to add the Profile you previously created
- Click Save
AnyConnect Profile Configuration
For MACsec we will modify the existing working AnyConnect Profile
- Open the AnyConnect Network Access Manager Profile Editor
- Open the existing configuration XML file
- Select the Networks tab
- Select the existing working profile
- Click the Security Levels tab
- Under the Security section, from the Key Management drop-down list select MKA
- From the Encryption drop-down list select MACSec: AES-GCM-128
- Click Credentials and Done
- Save the updated configuration XML file and restart AnyConnect services
Switch Configuration
Each interface running MACSec will enable macsec enabled.
- Login to the switch and configure MACSec per interface as below
interface gigabitethernet 0/5 macsec
Example of the full working interface configuration with 802.1x and MACSec
interface GigabitEthernet0/5 switchport access vlan 11 switchport mode access macsec authentication event fail action next-method authentication event server dead action authorize authentication event server alive action reinitialize authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication timer restart 300 authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge spanning-tree bpduguard enable end
Testing and Verification
Connect the computer with the updated AnyConnect profile to the switchport enabled with dot1x and macsec.
From the ISE Live Logs we can determine that the user (user1) was successfully authenticated and the MACSec Authorization Profile previously created was applied.
- Navigate to Operations > Troubleshoot > Diagnostic Tools > TCP Dump
- Run a packet capture during an authentication attempt, save the capture and open in wireshark
- Locate the Access-Accept RADIUS packet
Analysing the packet capture below, you can determine that in the Access-Accept packet, the Authorization Profile called MACSec sent the AVPair must-secure. You will also notice that syslog was configured on the switch and it sent a message confirming that the session was secured.
From the CLI of the switch run the command show authentication session interface gigabitethernet 0/5 detail. From the output below we can confirm that user1 was successfully authenticated and that the ISE Authorization Profile to change the Security Policy to Must Secure was applied. More importantly we can confirm that Security Status is Link Secured.
You can run the command show macsec interface gigabitethernet 0/5 for stats about the session, confirming MACsec is enabled and that packets have been encrypted.
References