Ethernet Switching
Highlighted
Ethernet Switching

802.1-AE not working with EX4300

‎03-27-2017 08:35 AM

Hi,

I’m currently trying to setup the macsec feature on a Juniper EX4300 switch. I successfully configured 802.1x, using CISCO ISE / Microsoft Radius / FreeRadius radius servers. On all of them the 802.1x authentication works, but when I add the macsec on top of it, it fails. Of course, if I don’t set the mka to must-secure, then it still works, but there is no encryption present.  I’m not an experienced user, but my debugging skills point me to a mismatch in the mka protocol. I might be wrong though, that’s why I need your help.

About the current setup:

A couple of linux machines as clients

Juniper EX4300 switch with 802.1x enabled and macsec using dynamic security mode

CISCO ISE radius server

 

 

Thanks a lot in advance.

Kind Regards,

 

Alexandru Popa

11 REPLIES 11
Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-28-2017 06:18 AM

Hello,

 

Hope this link is helpful in explaining MACSEC requirements, licenses as well as limitations on EX4300.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/macsec.html

 

Regards,

 

Rushi

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-28-2017 07:03 AM

Hi,

 

I went through that document when we decided to buy a macsec licence for the EX4300. I'm well past that point in my configuration. I did everything by the book and configured the switch acording to the documentation. I was just wondering if there is something special that needs to be set on the radius, because in my opinion it should work.

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-28-2017 11:09 AM

Hello,

Radius Server must meet following conditions:

 

1) Radius Server needs to be configured as the user database for 802.1X authentication.
2) EAP-TLS authentication framework is required on a switch-to-host link for MACsec if running 15.1 or later release.
3) Radius must have connectivity with Switch and Host.

 

Regards,

 

Rushi

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-28-2017 01:58 PM

Quick question, if you do not use User Authentication via 802.1x, is the MACSEC client to switch working?  What MACSEC SW are you using on the client side?

 

People I have worked with on this, have not been able to find client side SW that actually works!  MACSEC Juniper switch-to-switch definitely works and is deployed, albeit with potential caveats.

 

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 02:51 AM

I may have said things wrong. I am using 802.1x authentication on the switch. It works fine, and users get authenticated. I can see that both on the switch side and in the radius logs. When I try to add macsec on the interfaces that already use 802.1x authentication, the clients stop gaining network access. On the switch side I can see the user trying to authenticate. If I check the radius logs, I see that they get authenticated. So the radius gives the OK to the client, but somehow the client does not get it. I checked the packets with wireshark, and I get a failure after the EAP-TLS is being sent to the client.

 

Regards,

Alexandru

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 02:58 AM

Which 802.1x supplicant are you using that supports MACSec?  Cisco Anyconnect?  I don't believe any of the major OSes (Windows 10, Mac OSX 10.10) have native support yet, except Linux with iproute2.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 03:10 AM

Yes, the clients connecting are using Linux with iproute2, that's the reason we chose this approach.

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 04:38 AM

Again, I would ask same question - does MACSEC switch to client work without 802.1x involved?  You proven 802.1x works without MACSEC, yes?

 

Only other option I see for you is to open a TAC case.  I know that for MACEC client to switch, Cisco Anyconnect was used as the client SW, but I doubt if 802.1x was also tested with this combination.  I am not even sure Cisco Anyconnect with MACSEC enabled supports 802.1x at same time - does it?  Have you tried this with say Windows machine and does this work?

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 07:42 AM

I never tried macsec without 802.1x, because in the juniper documentation it clearly states that 802.1x is required in order for macsec to work, because a part of the 802.1x handshake (EAP) is being used to create the keys needed for the dynamic macsec profile.

 

Macsec without 802.1x only works in static mode, meaning we have to manually create the keys on both swich and host side, but the client's requirement is with dynamic key assignment.

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 08:09 AM

OK, and i now understand.  I think only way you make any progress is via a TAC case.

 

Good luck.

Highlighted
Ethernet Switching

Re: 802.1-AE not working with EX4300

‎03-29-2017 06:59 PM

Hi Alexandru

 

2 things I would want you to confirm

 

1) Does Dot1x work fine as standalone >>>> Yes as you have mentioned in the trailing mails.

2) MACSEC works without Dot1x also.


Please use this config for macsec below and check.

 

Switch A

 

root@labtestmacsecurity# ...|display set |match security
set security macsec connectivity-association ca1 security-mode static-cak
set security macsec connectivity-association ca1 replay-protect replay-window-size 5
set security macsec connectivity-association ca1 pre-shared-key ckn 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311
set security macsec connectivity-association ca1 pre-shared-key cak "$9$BusRylvWLX-VuOclvMXxHq.PFn/9p0ORn6lKWLVboJGjmf69AuBItpIcylLXHq.f36tuO1Ick.fzn/tpxN-Vwgik.PTzbs"
set security macsec interfaces ge-0/1/0 connectivity-association ca1

 

Switch B

 

{master:0}[edit]
root@switchB# ...security |display set
set security macsec connectivity-association ca1 security-mode static-cak
set security macsec connectivity-association ca1 replay-protect replay-window-size 5
set security macsec connectivity-association ca1 pre-shared-key ckn 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311
set security macsec connectivity-association ca1 pre-shared-key cak "$9$BusRylvWLX-VuOclvMXxHq.PFn/9p0ORn6lKWLVboJGjmf69AuBItpIcylLXHq.f36tuO1Ick.fzn/tpxN-Vwgik.PTzbs"
set security macsec interfaces ge-0/0/0 connectivity-association ca1

 

Thanks

Partha 

Feedback