Fortinet black logo

Administration Guide

MACsec

Copy Link
Copy Doc ID d887c3dd-ee67-11ec-bb32-fa163e15d75b:110404
Download PDF

MACsec

Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.

You can either use the pre-shared key (PSK) mode or the dynamic connectivity association key (CAK) mode.

For the PSK mode, you specify the CAK and the connectivity association name (CKN) for the PSK in the MACsec profile and then apply the profile to a switch port.

For the dynamic-CAK mode, you use a port access entity (PAE) to allow the interface to act as a supplicant or an authenticator:

  • When the interface acts as a supplicant, the PAE requests authentication from the RADIUS server before the interface can be accessed.

  • When the interface acts as an authenticator, the PAE enforces the authentication, which is provided by the RADIUS server, before the interface can be accessed.

The RADIUS server generates the master session key (MSK), and the CAK is derived from the MSK. You can use the same MACsec profile for both the supplicant and the authenticator.

To apply a MACsec profile to a port, you need to specify the port and MACsec profile, set the port security mode to macsec, and select the MACsec PAE mode:

  • If you want to use the PSK mode, select none because you do not need the PAE.

  • If you want to use the dynamic-CAK mode, select supp to have the PAE request authentication from the RADIUS server before the interface can be accessed or select auth to have the PAE enforce authentication before the interface can be accessed.

Notes:
  • SNMP is not supported.
  • The port-security-mode must be set to macsec for each interface that you want to apply MACsec to.
  • The MACsec profile must be applied at the port level.
  • FortiSwitchOS supports PSK mode and dynamic-CAK mode. Static secure association key (SAK) mode is not supported.

Configuring PSK-mode MACsec

To configure PSK-mode MACsec:
  1. Create the MACsec profile.
  2. Apply the MACsec profile to a port.
To create a MACsec profile for PSK mode:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode static-cak Select the static-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "staticcak"

set cipher_suite GCM_AES_128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

To apply a PSK-mode MACsec profile to a port:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode none

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit port49

set native-vlan 50

set stp-state disabled

set auto-discovery-fortilink enable

set snmp-index 49

config port-security

set port-security-mode macsec

set macsec-pae-mode none

set macsec-profile "macsec_profile1"

end

next

end

Configuring dynamic-CAK MACsec

For the dynamic-CAK mode, you need to do the following before creating the MACsec profile:

  • Specify the certificate authority (CA) for the MACsec CAK.

    This is used in the set eap-tls-ca-cert <CA_certificate> command in the MACsec profile.

  • Import the client certificate to use for the MACsec CAK.

    This is used in the set eap-tls-cert <client_certificate> command in the MACsec profile.

  • Configure the RADIUS server to use for MACsec CAK.

    This is used in the set eap-tls-radius-server <name_of_RADIUS_server> command in the MACsec profile.

To specify the CA for the MACsec CAK:

config system certificate ca

edit <CA_name>

next

end

For example:

config system certificate ca

edit "MACsec_CA"

next

end

To import the client certificate to use for the MACsec CAK:

config system certificate local

edit <certificate_name>

set password <passwd>

next

end

For example:

config system certificate local

edit "MACsec_certificate"

set password ENC jVXPqKiU35+clW0peV401S3G3y1wIKPnU0203VPqOou5bZn3uUGem6YUipSHPqME5Lb83KS9n9AmFHhIf6AkZgaiXBLSWcEczSk95MuZcAl/rS1fl3DIJZ1ev3scj35gANo7bZZq16n+ufqP1QIE2RcUBmqF/ctCdAUxn4BbUthahvj1

next

end

To configure the RADIUS server used for MACsec CAK:

config user radius

edit <RADIUS_server_name>

set secret <server_password>

set server <domain_ipv4_ipv6>

next

end

For example:

config user radius

edit "radiusserver"

set secret ENC mAKp/cPwUvJktZnfY4aT3Xlz6n+hZEdhO1safouKrY2Vousxu9kGUGx9NEZWargxMQOfkF8GtVqjgrs0pGoS+dHZohqwK4HDtmHmoC9AYsgen9Vmzp1CI0N/5uMr+jjAHYFPdUdW6VBawCAGUeYtXOFL5l74Y5H+Q6zju3qqhE84DO0k

set server "10.105.252.125"

next

end

To create a MACsec profile for dynamic-CAK mode:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set eap-tls-ca-cert <CA_certificate>

set eap-tls-cert <client_certificate>

set eap-tls-identity <name_of_client>

set eap-tls-radius-server <name_of_RADIUS_server>

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode dynamic-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0

eap-tls-ca-cert <CA_certificate>

Specify the certificate authority (CA) to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-cert<client_certificate>

Select the client certificate that you imported for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-identity <name_of_client>

Enter the name of the client for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-radius-server <name_of_RADIUS_server>

Enter the name of the RADIUS server to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode dynamic-cak Select the dynamic-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "dynamiccak"

set cipher_suite GCM_AES_128

set confident-offset 0

set eap-tls-ca-cert "MACsec_CA"

set eap-tls-cert "MACsec_certificate"

set eap-tls-identity "macsecclient"

set eap-tls-radius-server "radiusserver"

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode dynamic-cak

set macsec-validate strict

set mka-priority 215

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "trafficpolicy1"

set security-policy must-secure

set status enable

next

end

next

end

To apply a dynamic-CAK MACsec profile to a port that will act as the PAE supplicant:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode supp

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit "port25"

set auto-discovery-fortilink enable

set snmp-index 25

config port-security

set macsec-pae-mode supp

set macsec-profile "dynamiccak"

set port-security-mode macsec

end

next

end

To apply a dynamic-CAK MACsec profile to a port that will act as the PAE authenticator:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode auth

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit "port25"

set auto-discovery-fortilink enable

set snmp-index 25

config port-security

set macsec-pae-mode auth

set macsec-profile "dynamiccak"

set port-security-mode macsec

end

next

end

Viewing the MACsec details

To view the MACsec status for a specific port:

diagnose switch macsec status <port_name>

To view the MACsec traffic statistics for a specific port:

diagnose switch macsec statistics <port_name>

To view the creation and deletion of secure associations:

diagnose debug kernel level 8

Clearing the MACsec statistics

To clear all MACsec statistics on a single interface:

execute macsec clearstat interface <interface_name>

For example:

execute macsec clearstat interface port15

Resetting the MACsec statistics

To reset the MACsec session on a single interface on the server side or the client side:

execute macsec reset interface <interface_name>

For example:

execute macsec reset interface port15

Changing the link status

This command applies to the dynamic-CAK mode.

To change the link status and reset the MACsec session on a single interface for both the server side and the client side:

execute macsec toggle interface <interface_name>

For example:

execute macsec toggle interface port5

MACsec

Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.

You can either use the pre-shared key (PSK) mode or the dynamic connectivity association key (CAK) mode.

For the PSK mode, you specify the CAK and the connectivity association name (CKN) for the PSK in the MACsec profile and then apply the profile to a switch port.

For the dynamic-CAK mode, you use a port access entity (PAE) to allow the interface to act as a supplicant or an authenticator:

  • When the interface acts as a supplicant, the PAE requests authentication from the RADIUS server before the interface can be accessed.

  • When the interface acts as an authenticator, the PAE enforces the authentication, which is provided by the RADIUS server, before the interface can be accessed.

The RADIUS server generates the master session key (MSK), and the CAK is derived from the MSK. You can use the same MACsec profile for both the supplicant and the authenticator.

To apply a MACsec profile to a port, you need to specify the port and MACsec profile, set the port security mode to macsec, and select the MACsec PAE mode:

  • If you want to use the PSK mode, select none because you do not need the PAE.

  • If you want to use the dynamic-CAK mode, select supp to have the PAE request authentication from the RADIUS server before the interface can be accessed or select auth to have the PAE enforce authentication before the interface can be accessed.

Notes:
  • SNMP is not supported.
  • The port-security-mode must be set to macsec for each interface that you want to apply MACsec to.
  • The MACsec profile must be applied at the port level.
  • FortiSwitchOS supports PSK mode and dynamic-CAK mode. Static secure association key (SAK) mode is not supported.

Configuring PSK-mode MACsec

To configure PSK-mode MACsec:
  1. Create the MACsec profile.
  2. Apply the MACsec profile to a port.
To create a MACsec profile for PSK mode:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode static-cak Select the static-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "staticcak"

set cipher_suite GCM_AES_128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

To apply a PSK-mode MACsec profile to a port:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode none

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit port49

set native-vlan 50

set stp-state disabled

set auto-discovery-fortilink enable

set snmp-index 49

config port-security

set port-security-mode macsec

set macsec-pae-mode none

set macsec-profile "macsec_profile1"

end

next

end

Configuring dynamic-CAK MACsec

For the dynamic-CAK mode, you need to do the following before creating the MACsec profile:

  • Specify the certificate authority (CA) for the MACsec CAK.

    This is used in the set eap-tls-ca-cert <CA_certificate> command in the MACsec profile.

  • Import the client certificate to use for the MACsec CAK.

    This is used in the set eap-tls-cert <client_certificate> command in the MACsec profile.

  • Configure the RADIUS server to use for MACsec CAK.

    This is used in the set eap-tls-radius-server <name_of_RADIUS_server> command in the MACsec profile.

To specify the CA for the MACsec CAK:

config system certificate ca

edit <CA_name>

next

end

For example:

config system certificate ca

edit "MACsec_CA"

next

end

To import the client certificate to use for the MACsec CAK:

config system certificate local

edit <certificate_name>

set password <passwd>

next

end

For example:

config system certificate local

edit "MACsec_certificate"

set password ENC jVXPqKiU35+clW0peV401S3G3y1wIKPnU0203VPqOou5bZn3uUGem6YUipSHPqME5Lb83KS9n9AmFHhIf6AkZgaiXBLSWcEczSk95MuZcAl/rS1fl3DIJZ1ev3scj35gANo7bZZq16n+ufqP1QIE2RcUBmqF/ctCdAUxn4BbUthahvj1

next

end

To configure the RADIUS server used for MACsec CAK:

config user radius

edit <RADIUS_server_name>

set secret <server_password>

set server <domain_ipv4_ipv6>

next

end

For example:

config user radius

edit "radiusserver"

set secret ENC mAKp/cPwUvJktZnfY4aT3Xlz6n+hZEdhO1safouKrY2Vousxu9kGUGx9NEZWargxMQOfkF8GtVqjgrs0pGoS+dHZohqwK4HDtmHmoC9AYsgen9Vmzp1CI0N/5uMr+jjAHYFPdUdW6VBawCAGUeYtXOFL5l74Y5H+Q6zju3qqhE84DO0k

set server "10.105.252.125"

next

end

To create a MACsec profile for dynamic-CAK mode:

config switch macsec profile

edit <MACsec_profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set eap-tls-ca-cert <CA_certificate>

set eap-tls-cert <client_certificate>

set eap-tls-identity <name_of_client>

set eap-tls-radius-server <name_of_RADIUS_server>

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode dynamic-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-algAES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0

eap-tls-ca-cert <CA_certificate>

Specify the certificate authority (CA) to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-cert<client_certificate>

Select the client certificate that you imported for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-identity <name_of_client>

Enter the name of the client for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-radius-server <name_of_RADIUS_server>

Enter the name of the RADIUS server to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode dynamic-cak Select the dynamic-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

For example:

config switch macsec profile

edit "dynamiccak"

set cipher_suite GCM_AES_128

set confident-offset 0

set eap-tls-ca-cert "MACsec_CA"

set eap-tls-cert "MACsec_certificate"

set eap-tls-identity "macsecclient"

set eap-tls-radius-server "radiusserver"

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode dynamic-cak

set macsec-validate strict

set mka-priority 215

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "trafficpolicy1"

set security-policy must-secure

set status enable

next

end

next

end

To apply a dynamic-CAK MACsec profile to a port that will act as the PAE supplicant:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode supp

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit "port25"

set auto-discovery-fortilink enable

set snmp-index 25

config port-security

set macsec-pae-mode supp

set macsec-profile "dynamiccak"

set port-security-mode macsec

end

next

end

To apply a dynamic-CAK MACsec profile to a port that will act as the PAE authenticator:

config switch interface

edit <port_name>

config port-security

set port-security-mode macsec

set macsec-pae-mode auth

set macsec-profile <MACsec_profile_name>

end

next

end

For example:

config switch interface

edit "port25"

set auto-discovery-fortilink enable

set snmp-index 25

config port-security

set macsec-pae-mode auth

set macsec-profile "dynamiccak"

set port-security-mode macsec

end

next

end

Viewing the MACsec details

To view the MACsec status for a specific port:

diagnose switch macsec status <port_name>

To view the MACsec traffic statistics for a specific port:

diagnose switch macsec statistics <port_name>

To view the creation and deletion of secure associations:

diagnose debug kernel level 8

Clearing the MACsec statistics

To clear all MACsec statistics on a single interface:

execute macsec clearstat interface <interface_name>

For example:

execute macsec clearstat interface port15

Resetting the MACsec statistics

To reset the MACsec session on a single interface on the server side or the client side:

execute macsec reset interface <interface_name>

For example:

execute macsec reset interface port15

Changing the link status

This command applies to the dynamic-CAK mode.

To change the link status and reset the MACsec session on a single interface for both the server side and the client side:

execute macsec toggle interface <interface_name>

For example:

execute macsec toggle interface port5