Cisco Catalyst 3560-X Software Configuration Manual page 368

Understanding Media Access Control Security and MACsec Key Agreement
MACsec, MKA and 802.1x Host Modes
You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi
Domain Authentication (MDA) mode. Multiple authentication mode is not supported.
Single-Host Mode
Figure 1-1
Figure 1-1
Host
Multiple-Host Mode
In standard (not 802.1x REV) 802. multiple-host mode, a port is open or closed based on a single
authentication. If one user, the primary secured client services client host, is authenticated, the same
level of network access is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a
non-MACsec host can send traffic to the network without authentication because it is in multiple-host
mode. See
Figure 1-2
Primary host
Secondary host
Secondary host
We do not recommend using multi-host mode because after the first successful client, authentication is
not required for other clients, which is not secure.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-4
shows how a single EAP authenticated session is secured by MACsec by using MKA.
MACsec in Single-Host Mode with a Secured Data Session
Unsecured
MACsec
Switch with
MACsec
configured
Figure 1-2.
MACsec in Standard Multiple-Host Mode - Unsecured
Chapter 1
AAA
Access-control system
Switch with
Access-control system
MACsec
configured
Configuring MACsec Encryption
AAA
OL-25303-03