Macsec, Mka, And 802.1X Host Modes - Cisco Catalyst 4500 Series Configuration Manual

Understanding Media Access Control Security and MACsec Key Agreement

MACsec, MKA, and 802.1X Host Modes

You can use MACsec and the MKA Protocol with 802.1X single-host mode, multiple-host mode, or
Multi Domain Authentication (MDA) mode. Multiple authentication mode is not supported.
Single-Host Mode
Figure 43-1
Figure 43-1
Host
Multiple-Host Mode
In standard (not 802.1X-2010) 802. multiple-host mode, a port is open or closed based on a single
authentication. If one user, the primary secured client services client host, is authenticated, the same
level of network access is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a
non-MACsec host can send traffic to the network without authentication because it is in multiple-host
mode. See
Figure 43-2
Primary host
Secondary host
Secondary host
We do not recommend using multi-host mode because after the first successful client, authentication is
not required for other clients, which is not secure.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
43-4
shows how a single EAP authenticated session is secured by MACsec using MKA.
MACsec in Single-Host Mode with a Secured Data Session
Unsecured
MACsec
Switch with
MACsec
configured
Figure 43-2.
MACsec in Standard Multiple-Host Mode - Unsecured
Chapter 43
AAA
Access-control system
Switch with
Access-control system
MACsec
configured
Configuring MACsec Encryption
AAA
OL-25340-01