Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
2
Replies

MACSec without NDAC

bunjiega
Level 1
Level 1

‎10-13-2014 02:45 PM - edited ‎03-10-2019 10:06 PM

Is it possible to do downlink macsec without the full NDAC/SGA setup?

 
I am trying to set up encryption from the PC's to the switchport and it is attempting, but never completes. I keep getting these two logs:
(I have researched these logs but couldn't really find anything that worked)
(It gets a little confusing when MACSec/NDAC and SGA are all explained at the same time in some of the documents and in the official Cisco Press book!)


%MKA-4-KEEPALIVE_TIMEOUT: Peer has stopped sending MKPDUs for RxSCI.... 
%MKA-4-SESSION_UNSECURED: MKA Session was stopped by MKA and not secured for RxSCI..... 

 

 

This is my related interface config:
interface GigabitEthernetX/Y/Z
 switchport access vlan XYZ
 switchport mode access
 switchport voice vlan XYZ
 ip access-group PREAUTH in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 712
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 macsec
 mka default-policy
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 

- Attached a picture of related ISE and Anyconnect Config

 

Thank You for any advice or input!!  :)

Labels:
Preview file
90 KB
0 Helpful
2 Replies 2

bunjiega
Level 1
Level 1

‎10-14-2014 07:27 AM

I found the solution and wanted to post it in case anyone else ran into this problem!

I had to update the NIC driver and all of a sudden it started working with no other changes!

I had an Intel 82579LM NIC adapter and updating to the latest Intel driver fixed the issue! Currently it seems to work best with Intel from what I am seeing.

Thanks!! :)

0 Helpful

Arne Wichmann
Level 1
Level 1
In response to bunjiega

‎07-13-2018 01:34 AM

I second this. After taking a while to find out that my RADIUS not only needs to send EAP-Key-Name as Attribute but also  Cisco-AVpair := "linksec-policy=must-secure", I was stuck with my usb-network-adapter not completing the macsec handshake. The internal card of my machine completed successfully on the first try.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents