Example: Configuring client-oriented MACsec

Network configuration

As shown in Figure 180, the host accesses the network through Ten-GigabitEthernet 1/1/1. The device performs RADIUS-based 802.1X authentication for the host to control user access to the Internet.

To ensure secure communication between the host and device, perform the following tasks on the device:

Figure 180: Network diagram

Procedure

  1. Configure IP addresses for the Ethernet ports. (Details not shown.)

  2. Configure the RADIUS server to provide authentication, authorization, and accounting services. Add a user account for the host. (Details not shown.)

  3. Configure AAA:

    # Enter system view.

    <Device> system-view
    

    # Configure RADIUS scheme radius1.

    [Device] radius scheme radius1
    [Device-radius-radius1] primary authentication 10.1.1.1
    [Device-radius-radius1] primary accounting 10.1.1.1
    [Device-radius-radius1] key authentication simple name
    [Device-radius-radius1] key accounting simple money
    [Device-radius-radius1] user-name-format without-domain
    [Device-radius-radius1] quit
    

    # Configure authentication domain bbb for 802.1X users.

    [Device] domain bbb
    [Device-isp-bbb] authentication lan-access radius-scheme radius1
    [Device-isp-bbb] authorization lan-access radius-scheme radius1
    [Device-isp-bbb] accounting lan-access radius-scheme radius1
    [Device-isp-bbb] quit
    
  4. Configure 802.1X:

    # Enable 802.1X on Ten-GigabitEthernet 1/1/1.

    [Device] interface ten-gigabitethernet 1/1/1
    [Device-Ten-GigabitEthernet1/1/1] dot1x
    

    # Implement port-based access control on Ten-GigabitEthernet 1/1/1.

    [Device-Ten-GigabitEthernet1/1/1] dot1x port-method portbased
    

    # Specify bbb as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/1/1.

    [Device-Ten-GigabitEthernet1/1/1] dot1x mandatory-domain bbb
    [Device-Ten-GigabitEthernet1/1/1] quit
    

    # Enable 802.1X globally, and sets the device to relay EAP packets.

    [Device] dot1x
    [Device] dot1x authentication-method eap
    
  5. Configure MACsec:

    # Create an MKA policy named pls.

    [Device] mka policy pls
    

    # Set the MACsec confidentiality offset to 30 bytes.

    [Device-mka-policy-pls] confidentiality-offset 30
    

    # Enable MACsec replay protection.

    [Device-mka-policy-pls] replay-protection enable
    

    # Set the MACsec replay protection window size to 100.

    [Device-mka-policy-pls] replay-protection window-size 100
    

    # Set the MACsec validation mode to strict.

    [Device-mka-policy-pls] validation mode strict
    [Device-mka-policy-pls] quit
    

    # Apply the MKA policy to Ten-GigabitEthernet 1/1/1.

    [Device] interface ten-gigabitethernet 1/1/1
    [Device-Ten-GigabitEthernet1/1/1] mka apply policy pls
    

    # Configure MACsec desire and enable MKA on Ten-GigabitEthernet 1/1/1.

    [Device-Ten-GigabitEthernet1/1/1] macsec desire
    [Device-Ten-GigabitEthernet1/1/1] mka enable
    [Device-Ten-GigabitEthernet1/1/1] quit
    

Verifying the configuration

# Display MACsec information on Ten-GigabitEthernet 1/1/1.

[Device] display macsec interface ten-gigabitethernet 1/1/1 verbose
Interface Ten-GigabitEthernet1/1/1
  Protect frames         : Yes
  Active MKA policy      : pls
  Replay protection      : Enabled
  Replay window size     : 100 frames
  Confidentiality offset : 30 bytes
  Validation mode        : Strict
  Included SCI           : No
  SCI conflict           : No
  Cipher suite           : GCM-AES-128
  Transmit secure channel:
    SCI           : 00E00100000A0006
      Elapsed time: 00h:02m:07s
      Current SA  : AN 0        PN 1
  Receive secure channels:
    SCI           : 00E0020000000106
      Elapsed time: 00h:02m:03s
      Current SA  : AN 0        LPN 1
      Previous SA : AN N/A      LPN N/A

# Display MKA session information on Ten-GigabitEthernet 1/1/1 after a user logs in.

[Device] display mka session interface ten-gigabitethernet 1/1/1 verbose
Interface Ten-GigabitEthernet1/1/1
Tx-SCI    : 00E00100000A0006
Priority  : 0
Capability: 3
  CKN for participant: 1234
    Key server            : Yes
    MI (MN)               : A1E0D2897596817209CD2307 (2509)
    Live peers            : 1
    Potential peers       : 0
    Principal actor       : Yes
    MKA session status    : Secured
    Confidentiality offset: 30 bytes
    Current SAK status    : Rx & Tx
    Current SAK AN        : 0
    Current SAK KI (KN)   : A1E0D2897596817209CD230700000002 (2)
    Previous SAK status   : N/A
    Previous SAK AN       : N/A
    Previous SAK KI (KN)  : N/A
    Live peer list:
    MI                        MN         Priority  Capability  Rx-SCI
    B2CAF896C9BFE2ABFB135E63  2512       0         3           00E0020000000106