[RADIATOR] A few questions regarding MacSec

Nadav Hod nadav.hod at comm-it.co.il
Sun Apr 17 02:21:45 CDT 2016

Hi Heikki,

Calculating the CAK is part of downlink Macsec, meaning the Macsec between supplicant and authenticator (switch-host). However an important part of Macsec within a Cisco infrastructure is uplink Macsec, meaning the authentication server authenticating the authenticators. It's an integral part of dot1x-based Macsec which ensures that the traffic is not just encrypted and authenticated end to end, but also that the infrastructure is trusted end to end prior to downlink Macsec.

The term Cisco uses for authenticating infrastructure is NDAC (Network Device Admission Control) and coupled with downlink Macsec allows the authentication and encryption of the entire network (assuming there is supporting hardware and the topology allows it). 

This is explained as of page 54 in the link I provided. It is well illustrated in page 61. Cisco use EAP-Fast for NDAC. The secure seeding device closest to the authentication server (this is configurable) authenticates the neighboring switches, which in turn authenticate their neighboring switches, and so on. When the equipment is authenticated, it can perform Macsec for the endpoints. This is a great way to minimizing the attack surface for MITM, replay attacks, packet sniffing and so on across your entire networking infrastructure and not just the access layer.

Is there any chance that Radiator supports uplink Macsec within a Cisco infrastructure? I'm aware that they tailored their solution to Cisco ISE and therefore this may not be a solution based on standards, but it would be interesting to know whether this can be supported without ISE.

From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Heikki Vatiainen [hvn at open.com.au]
Sent: Sunday, April 17, 2016 2:54 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] A few questions regarding MacSec

On 16.04.2016 00:27, Nadav Hod wrote:

> Does Radiator support Macsec for switch-host and switch-switch links?
> The two connection types are quite different. There is a great
> explanation of how Macsec works and what information is exchanged
> here:
> https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKCRS-2892.pdf
> As you can see, there is more than just the Eap-key-name avpair being
> returned and calculated. However that's what Radiator documentation
> specified as supported.

If you are thinking about the CAK (Connectivity Association Key), it
will be returned with MS-MPPE-Send-Key and MS-MPPE-Recv-Key quite
similar to what TLS based EAP methods too. This is how Radiator already
works: you will have EAP-Key-Name and the MS-MPPE-* attributes in
Access-Accept. The doc you referred to seems to say CAK is returned, but
not how.

See for example Cisco's MacSec deplyment guide and section '2.2.2 IEEE
802.1X and Master Key Distribution'



Heikki Vatiainen
hvn at open.com.au
radiator mailing list
radiator at open.com.au

More information about the radiator mailing list