MACsec configuration examples
Client-oriented MACsec configuration example (host as
client)
Network requirements
As shown in
performs RADIUS-based 802.1X authentication for the host to control user access to the Internet.
To ensure secure communication between the host and device, perform the following tasks on the
device:
•
Enable MACsec desire, and configure MKA to negotiate SAKs for packet encryption.
•
Set the MACsec confidentiality offset to 30 bytes.
•
Enable MACsec replay protection, and set the replay protection window size to 100.
•
Set the MACsec validation mode to strict.
Figure 160 Network diagram
Host
192.168.1.2/24
Configuration procedure
1.
Configure the RADIUS server to provide authentication, authorization, and accounting services.
Add a user account for the host. (Details not shown.)
2.
Configure IP addresses for the Ethernet ports. (Details not shown.)
3.
Configure AAA:
# Enter system view.
<Device> system-view
# Configure RADIUS scheme radius1.
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 10.1.1.1
[Device-radius-radius1] primary accounting 10.1.1.1
[Device-radius-radius1] key authentication simple name
[Device-radius-radius1] key accounting simple money
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
# Configure authentication domain bbb for 802.1X users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
Figure
160, the host accesses the network through GigabitEthernet 1/0/1. The device
GE1/0/2
10.1.1.10/24
GE1/0/1
192.168.1.1/24
Device
RADIUS server
10.1.1.1/24
Internet
577