10-13-2014 02:45 PM - edited 03-10-2019 10:06 PM
Is it possible to do downlink macsec without the full NDAC/SGA setup?
I am trying to set up encryption from the PC's to the switchport and it is attempting, but never completes. I keep getting these two logs:
(I have researched these logs but couldn't really find anything that worked)
(It gets a little confusing when MACSec/NDAC and SGA are all explained at the same time in some of the documents and in the official Cisco Press book!)
%MKA-4-KEEPALIVE_TIMEOUT: Peer has stopped sending MKPDUs for RxSCI....
%MKA-4-SESSION_UNSECURED: MKA Session was stopped by MKA and not secured for RxSCI.....
This is my related interface config:
interface GigabitEthernetX/Y/Z
switchport access vlan XYZ
switchport mode access
switchport voice vlan XYZ
ip access-group PREAUTH in
authentication event fail action next-method
authentication event server dead action authorize vlan 712
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
macsec
mka default-policy
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
- Attached a picture of related ISE and Anyconnect Config
Thank You for any advice or input!! :)
10-14-2014 07:27 AM
I found the solution and wanted to post it in case anyone else ran into this problem!
I had to update the NIC driver and all of a sudden it started working with no other changes!
I had an Intel 82579LM NIC adapter and updating to the latest Intel driver fixed the issue! Currently it seems to work best with Intel from what I am seeing.
Thanks!! :)
07-13-2018 01:34 AM
I second this. After taking a while to find out that my RADIUS not only needs to send EAP-Key-Name as Attribute but also Cisco-AVpair := "linksec-policy=must-secure", I was stuck with my usb-network-adapter not completing the macsec handshake. The internal card of my machine completed successfully on the first try.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: