I’m currently trying to setup the macsec feature on a Juniper EX4300 switch. I successfully configured 802.1x, using CISCO ISE / Microsoft Radius / FreeRadius radius servers. On all of them the 802.1x authentication works, but when I add the macsec on top of it, it fails. Of course, if I don’t set the mka to must-secure, then it still works, but there is no encryption present. I’m not an experienced user, but my debugging skills point me to a mismatch in the mka protocol. I might be wrong though, that’s why I need your help.
About the current setup:
A couple of linux machines as clients
Juniper EX4300 switch with 802.1x enabled and macsec using dynamic security mode
I went through that document when we decided to buy a macsec licence for the EX4300. I'm well past that point in my configuration. I did everything by the book and configured the switch acording to the documentation. I was just wondering if there is something special that needs to be set on the radius, because in my opinion it should work.
1) Radius Server needs to be configured as the user database for 802.1X authentication. 2) EAP-TLS authentication framework is required on a switch-to-host link for MACsec if running 15.1 or later release. 3) Radius must have connectivity with Switch and Host.
I may have said things wrong. I am using 802.1x authentication on the switch. It works fine, and users get authenticated. I can see that both on the switch side and in the radius logs. When I try to add macsec on the interfaces that already use 802.1x authentication, the clients stop gaining network access. On the switch side I can see the user trying to authenticate. If I check the radius logs, I see that they get authenticated. So the radius gives the OK to the client, but somehow the client does not get it. I checked the packets with wireshark, and I get a failure after the EAP-TLS is being sent to the client.
Again, I would ask same question - does MACSEC switch to client work without 802.1x involved? You proven 802.1x works without MACSEC, yes?
Only other option I see for you is to open a TAC case. I know that for MACEC client to switch, Cisco Anyconnect was used as the client SW, but I doubt if 802.1x was also tested with this combination. I am not even sure Cisco Anyconnect with MACSEC enabled supports 802.1x at same time - does it? Have you tried this with say Windows machine and does this work?
I never tried macsec without 802.1x, because in the juniper documentation it clearly states that 802.1x is required in order for macsec to work, because a part of the 802.1x handshake (EAP) is being used to create the keys needed for the dynamic macsec profile.
Macsec without 802.1x only works in static mode, meaning we have to manually create the keys on both swich and host side, but the client's requirement is with dynamic key assignment.