MACsec operating mechanism

Operating mechanism for client-oriented mode

Figure 178 illustrates how MACsec operates in client-oriented mode.

Figure 178: MACsec interactive process in client-oriented mode

The following shows the MACsec process:

  1. After the client passes 802.1X authentication, the RADIUS server distributes the generated CAK to the client and the access device.

  2. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets.

    The client and the access device exchange the MACsec capability and required parameters for session establishment. The parameters include MKA key server priority and MACsec desire.

    During the negotiation process, the access device automatically becomes the key server. The key server generates an SAK from the CAK for packet encryption, and it distributes the SAK to the client.

  3. The client and the access device use the SAK to encrypt packets, and they send and receive the encrypted packets in secure channels.

  4. When the access device receives a logoff request from the client, it immediately removes the associated secure session from the port. The remove operation prevents an unauthorized client from using the secure session established by the previous authorized client to access the network.

The MKA protocol also defines a session keepalive timer. If one participant does not receive any MKA packets from the peer after the timer expires, the participant removes the established secure session. The keepalive time is 6 seconds.

Operating mechanism for device-oriented mode

As shown in Figure 179, the devices use the configured preshared keys to start the session negotiation.

Figure 179: MACsec interactive process in device-oriented mode

The following shows the MACsec process:

  1. The devices use the configured preshared keys as CAKs to exchange EAPOL-MKA packets.

    They exchange the MACsec capability and required parameters for session establishment. The parameters include MKA key server priority and MACsec desire.

    During the negotiation process, the port with higher MKA key server priority becomes the key server. The key server generates and distributes an SAK.

  2. The devices each use the SAK to encrypt packets and send and receive the encrypted packets in secure channels.

  3. When a device receives a logoff request from the peer, it immediately deletes the associated secure session.

If one participant does not receive any MKA packets from the peer after the session keepalive timer expires, the participant removes the established secure session. The keepalive time is 6 seconds.