Is it possible to do downlink macsec without the full NDAC/SGA setup?
I am trying to set up encryption from the PC's to the switchport and it is attempting, but never completes. I keep getting these two logs: (I have researched these logs but couldn't really find anything that worked) (It gets a little confusing when MACSec/NDAC and SGA are all explained at the same time in some of the documents and in the official Cisco Press book!)
%MKA-4-KEEPALIVE_TIMEOUT: Peer has stopped sending MKPDUs for RxSCI.... %MKA-4-SESSION_UNSECURED: MKA Session was stopped by MKA and not secured for RxSCI.....
This is my related interface config: interface GigabitEthernetX/Y/Z switchport access vlan XYZ switchport mode access switchport voice vlan XYZ ip access-group PREAUTH in authentication event fail action next-method authentication event server dead action authorize vlan 712 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict macsec mka default-policy mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast
- Attached a picture of related ISE and Anyconnect Config
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...