Client-Oriented Macsec Configuration Example (Device As Client) - HPE FlexNetwork 7500 Series Security Configuration Manual

Client-oriented MACsec configuration example (device as
client)
Network requirements
As shown in
•
The switch connects to the device through trunk ports GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/3.
•
The device acts as an access device. You cannot configure a preshared key on the device for
MKA negotiation and packet encryption.
•
The RADIUS server acts as an 802.1X authentication server.
To secure data between the switch and the device by MACsec, perform the following tasks on the
switch:
•
Enable MACsec desire, and configure MKA to negotiate SAKs for packet encryption.
•
Configure the 802.1X client feature, so that the switch acts as an 802.1X client and can use
802.1X-generated CAKs for MAcsec.
Figure 149 Network diagram
VLAN 2
VLAN 3
Configuration procedure
1. Configure IP addresses for the Ethernet ports. Make sure the switch, the device, and the
RADIUS server can reach one another. (Details not shown.)
2. Configure the access device. (Details not shown.)
Configuration on the access device varies by manufacturer. For information about device
configuration, see the corresponding product manual. This part illustrates only the switch
configuration, and for information about 802.1X client commands, see Security Command
Reference.
3. Configure the RADIUS server to provide authentication, authorization, and accounting services.
Add user accounts. (Details not shown.)
4. Configure the switch:
# Create VLAN 2.
<Switch> system-view
[Switch] vlan 2
[Switch-vlan2] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[Switch] interface gigabitethernet 1/0/2
Figure 149:
GE1/0/2 Permit: VLAN 1,2
GE1/0/3 Permit: VLAN 1,3
Switch
(802.1X Client)
Device RADIUS server
488