Configuring Mka Macsec Using Eap-Tls - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 48 Configuring MACsec Encryption
Command
Step 8
exit
Step 9
crypto pki authenticate name
Step 10
crypto pki enroll name
Step 11
crypto pki import name certificate
Step 12
exit
Step 13
show crypto pki certificate
trustpoint name
Step 14
copy running-config startup-config
Ensure that you enroll both the participating devices and the RADIUS server to the PKI infrastructure.
For more information on PKI configuration, see the

Configuring MKA MACsec Using EAP-TLS

To configure MACsec with MKA on point-to-point links, perform these tasks:
•
•
•
Configuring EAP-TLS and 802.1x Credentials
To configure EAP-TLS and 802.1x credentials, perform the following task:
Purpose
Exits ca-trustpoint configuration mode and returns to global configuration
mode.
Retrieves the CA certificate and authenticates it.
Generates certificate request and displays the request for copying and
pasting into the certificate server.
Enter enrollment information when you are prompted. For example,
specify whether to include the device FQDN and IP address in the
certificate request.
You are also given the choice about displaying the certificate request to
the console terminal.
The base-64 encoded certificate with or without PEM headers as
requested is displayed.
Imports a certificate via TFTP at the console terminal, which retrieves the
granted certificate.
The device attempts to retrieve the granted certificate via TFTP using the
same filename used to send the request, except the extension is changed
from ".req" to ".crt". For usage key certificates, the extensions "-sign.crt"
and "-encr.crt" are used.
The device parses the received files, verifies the certificates, and inserts
the certificates into the internal certificate database on the router.
Note
Exits Global Configuration mode.
Displays information about the certificate for the trust point.
(Optional) Saves your entries in the configuration file.
Configure an Authentication Policy
Configure EAP-TLS Profiles and IEEE 802.1x Credentials
Configure 802.1x and MKA MACsec using EAP-TLS on Interfaces
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Some CAs ignore the usage key information in the certificate
request and issue general purpose usage certificates. If your CA
ignores the usage key information in the certificate request, only
import the general purpose certificate. The device will not use one
of the two key pairs generated.
Public Key Infrastructure Configuration Guide.
Understanding MKA MACsec with EAP-TLS
48-15