Macsec, Mka And 802.1X Host Modes - Cisco Catalyst 3750-X Software Configuration Manual

Hide thumbs Also See for Catalyst 3750-X:

Table of Contents

Configuring IEEE 802.1x Port-Based Authentication

MACsec, MKA and 802.1x Host Modes

You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi

Domain Authentication (MDA) mode. Multiple authentication mode is not supported.

Although the software supports MDA mode, there are no IP phones that support MACsec and MKA.

Single-Host Mode

The same switch port hosts an unsecured phone session using CDP bypass. Since CDP bypass mode

bypasses authentication to provide access based only on device type, the switch does not attempt to enter

into an MKA exchange with the phone. If a voice VLAN is configured, CDP packets bypass MAC sec.

For secure voice access, you should use MDA mode.

Multiple-Host Mode

In standard (not 802.1x REV) 802. multiple-host mode, a port is open or closed based on a single

authentication. If one user, the primary secured client services client host, is authenticated, the same

level of network access is provided to any host connected to the same port. If a secondary host is a

MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a

non-MACsec host can send traffic to the network without authentication because it is in multiple-host

Primary host

Secondary host

shows how a single EAP authenticated session is secured by MACsec by using MKA.

MACsec in Single-Host Mode with a Secured Data Session

MACsec in Standard Multiple-Host Mode - Unsecured

Understanding IEEE 802.1x Port-Based Authentication

Access-control system

Access-control system

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

Show Quick Links

Table of Contents

Catalyst 3560-x