MACsec Support for Access Points

Last updated
Save as PDF

Overview

With the release of MR 33.1.1, Cisco Wireless introduces MACsec (IEEE 802.1AE) support for CW Access Points. MACsec provides line-rate, hop-by-hop encryption at Layer 2, securing the wired link between the Access Point and the Access Switch. This prevents snooping, tampering, and man-in-the-middle attacks on the physical infrastructure.

Supported Hardware

MACsec requires hardware-level support within the Ethernet PHY. The following Access Point models are supported with firmware MR 33.1.1.

Model	Max Interface Speed	Wired Interface
CW9166I / D	5 Gbps	Wired 0
CW9164	5 Gbps	Wired 0
CW9176I / D	5 Gbps	Wired 0
CW9178 / CW9179F	10 Gbps	Wired 0 or 1

Note: SFP modules and Link Aggregation (LAG) are currently not supported for MACsec. Support is limited to copper uplink interfaces.

MACsec Frame Format

The MACsec frame format defines the structure of a frame after Media Access Control Security (MACsec) encryption. It consists of specific components that ensure data confidentiality, integrity, and authenticity at Layer 2.

Figure 1. MACsec Frame Format

Table 2. MACsec frame components

MACsec frame component	What it is	Used for
SecTAG	A security tag, 8 to 16 bytes in length (16 bytes if Secure Channel Identifier (SCI) encoding is used, otherwise 8 bytes). It also provides replay protection.	Identifying the Secure Association Key (SAK) used for the frame and detecting out-of-sequence frames.
Secure Data	The portion of the frame containing data encrypted using MACsec, with a length of 2 or more octets.	Carrying encrypted data within the frame.
ICV (Integrity Check Value)	A value that provides an integrity check for the entire frame, typically ranging from 8 to 16 bytes in length.	Ensuring the integrity of the frame; frames with an ICV that does not match the expected value are dropped at the receiving port.

Caveats

Recovery: If MACsec fails, there is no automatic fallback to unencrypted traffic if the switch is configured in "Must-Secure" mode.
IPv6: Transparently supported.
Management: Management traffic (Dashboard communication) and client traffic are both encrypted over the link.

Access Switch Compatibility

Currently, this feature is supported when the Access point is connected to an upstream switch.

Note: The switch must be in Device Configuration Mode (formerly Hybrid Mode). Administrators must use the Cloud CLI, physical console port, or SSH to enable MACsec on the switchport.

Authentication Methods

The MR supports two primary authentication modes for MKA (MACsec Key Agreement):

Pre-Shared Key (PSK):

CKN (Key Name): 1-32 bytes (2-64 hex characters).

CAK (The Key): Exactly 16 or 32 bytes (32 or 64 hex characters).

802.1X + EAP-TLS:

Uses the SUDI (Secure Unique Device Identifier) certificate stored in the AP's hardware Root of Trust (TPM/TAM).

Validated using Cisco ISE (recommended).

Cipher Suites

Supports both GCM-AES-128 and GCM-AES-256. The cipher suite is typically driven by the Key Server (the switch).

Configuration

Navigate Wireless > Configure > Port Profiles

Create a new port profile
Within Uplink Security configure uplink port authentication and traffic encryption Select either:

802.1X & MACsec
PSK & MACsec

Uplink Security: 802.1X & MACsec Configuration

When MACsec is enabled in the switch, the AP will lose connectivity. However, since 802.1X is introduced, it is recommended to have a working 802.1X setup before attempting MACsec, some references for that are shown below. Recommended order:

1. Configure 802.1X in the switch

2. Verify 802.1X is working

3. Continue to Configure AP by enabling MACsec

4. Configure the switch to enable MACsec

The configuration has the following elements:

Dashboard
Key chain
AP Port Profile configuration
Switch
Key chain
MKA policy
Interface configuration
RADIUS (like ISE)

802.1X has several flavors, only the following two are supported, here are the basic differences:

Table 1. EAP types

EAP Type	Client Certificate	Server Certificate	Username
EAP-TLS	Yes	Yes	No
EAP-FAST	No	No	Yes

For 802.1x & MACsec set the replay window

Note: The Replay Window provides a configurable window that accepts a specified number of out-of-sequence frames to handle frames transmitted out of order. The default window size is set to 0.

Uplink Security: PSK & MACsec Configuration

The configuration has the following elements.

Dashboard

◦ AP Port Profile configuration

Switch

Key chain
MKA policy
Interface configuration

Set the Pre-Shared Key (PSK) Credentials and Replay Window
Save the configuration
Confirm the created Port profile is enabled for MACsec encryption

Note: As explained above, PSK stands for Pre-Shared Key. This mode requires to configure MACsec with the same password in both ends, the switch and the AP

Note: Once MACsec is enabled in the switch, the AP will lose connectivity. Therefore, it is important to configure things in the right order:
1. Configure the AP on dashboard and enabling MACsec
2. Configure the switch enabling MACsec (this will power cycle the switch port)

When using PSK to derive the encryption keys the following diagram depicts how the keys are derived. In this PSK scenario, the CAK=PSK and the CKN must be manually entered.

Fail-Safe Behavior

If MACsec is set to "Must-Secure" on the switch and negotiation fails, the AP will be unable to reach the dashboard (stranded).
To recover, the administrator must temporarily set the switchport to "Should-Secure" or disable MACsec. The MR will then attempt to reconnect without encryption to report its failure logs.

Troubleshooting

In case nothing works, assuming that you got at least the basic networking configuration right, you should find a lot of info about authentication in the page: Operations > Live Log

Click on the “Details” column for your user, to get the full details about the auth session.

Show commands on IOS XE Switch:

show authentication sessions interface Te2/0/39

show dot1x interface Te2/0/39

show dot1x all summary

Troubleshooting MACsec on the Access Point

Meraki support to will need to access the cloud managed AP to run appropriate debug commands.

Troubleshooting on the Switch Side

On the Catalyst Switch (IOS-XE)

show mka session: Check if the session status is Secured.

show macsec summary: Confirms active Transmit/Receive secure channels.

debug mka events: Real-time debugging of the key agreement.

Sample syslogs when session is started and secured:

064427: Dec 12 11:51:34.116: %MKA-5-SESSION_START: (Gi1/0/20 : 27) MKA Session started for RxSCI aa11.22bb.33dd/0000, AuditSessionID , AuthMgr-Handle B0000163

064435: Dec 12 11:52:18.244: %MKA-5-SESSION_SECURED: (Gi1/0/20 : 27) MKA Session was secured for RxSCI 99ff.88ee.77dd/0001, AuditSessionID , CKN ABCDEF

[SW] Check MKA session

show mka sessions

Total MKA Sessions....... 1

Secured Sessions... 1

Pending Sessions... 0

====================================================================================================

Interface Local-TxSCI Policy-Name Inherited Key-Server

Port-ID Peer-RxSCI MACsec-Peers Status CKN

====================================================================================================

Gi1/0/20 aa11.22bb.33dd/001b macsec-policy NO YES

27 99ff.88ee.77dd/0001 1 Secured ABCDEF

[SW] MACsec summary (1 indicates success)

show macsec summary

Interface Transmit SC Receive SC

Gi1/0/20 1 1

sh macsec summary

sh macsec int <interface>

sh macsec status

Switch#debug mka ?

diagnostics Excessive diagnostic MKA debugging

errors MKA errors debugging

events MKA important events debugging

fsm MKA FSM tracing

ha MKA High Availability (HA/SSO/ISSU)

linksec-interface MKA Linksec Layer Interface

macsec-interface MKA MACsec Layer Interface

packets MKA packet (MKPDU) debugging

snmp MKA SNMP events debugging

<cr>