MACsec application modes

MACsec supports client-oriented and device-oriented modes.

As shown in Figure 176, MACsec secures data transmission between the client and the access device. In this mode, MACsec must operate with 802.1X authentication.

Client-oriented MACsec includes the following entities:

• Client (supplicant)—A user terminal seeking access to the LAN. The terminal must have 802.1X software to authenticate to the access device. The terminal also performs CAK negotiation and packet encryption.

• Access device (authenticator)—Authenticates the client to control access to the LAN and performs CAK negotiation and packet encryption.

• Authentication server—Provides AAA services for the access device. The authentication server is typically a RADIUS server. After the client passes authentication, the authentication server generates and distributes the CAK to the client and the access device.

	NOTE: In client-oriented mode, an MKA-enabled port on the access device must perform port-based 802.1X access control. The authentication method must be EAP relay.

As shown in Figure 177, MACsec secures data transmission between devices. In this mode, the devices do not perform identity authentication, and the same preshared key must be configured on the MACsec ports that connect the devices. The devices use the configured preshared key as the CAK.