MACsec
Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an Ethernet LAN.
You can either use the pre-shared key (PSK) mode or the dynamic connectivity association key (CAK) mode.
For the PSK mode, you specify the CAK and the connectivity association name (CKN) for the PSK in the MACsec profile and then apply the profile to a switch port.
For the dynamic-CAK mode, you use a port access entity (PAE) to allow the interface to act as a supplicant or an authenticator:
-
When the interface acts as a supplicant, the PAE requests authentication from the RADIUS server before the interface can be accessed.
-
When the interface acts as an authenticator, the PAE enforces the authentication, which is provided by the RADIUS server, before the interface can be accessed.
The RADIUS server generates the master session key (MSK), and the CAK is derived from the MSK. You can use the same MACsec profile for both the supplicant and the authenticator.
To apply a MACsec profile to a port, you need to specify the port and MACsec profile, set the port security mode to macsec, and select the MACsec PAE mode:
-
If you want to use the PSK mode, select
nonebecause you do not need the PAE. -
If you want to use the dynamic-CAK mode, select
suppto have the PAE request authentication from the RADIUS server before the interface can be accessed or selectauthto have the PAE enforce authentication before the interface can be accessed.
Notes:
- SNMP is not supported.
- The
port-security-modemust be set tomacsecfor each interface that you want to apply MACsec to. - The MACsec profile must be applied at the port level.
- FortiSwitchOS supports PSK mode and dynamic-CAK mode. Static secure association key (SAK) mode is not supported.
- The FS-5xxD models only support the GCM-AES-128 cipher suite.
Configuring PSK-mode MACsec
To configure PSK-mode MACsec:
- Create the MACsec profile.
- Apply the MACsec profile to a port.
To create a MACsec profile for PSK mode:
config switch macsec profile
edit <MACsec_profile_name>
set cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256}
set confident-offset {0 | 30 | 50}
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
set status {enable | disable}
config mka-psk
edit <pre-shared key name>
set crypto-algAES_128_CMAC
set mka-cak <string>
set mka-ckn <string>
set status active
next
end
config traffic-policy
edit <traffic_policy_name>
set security-policy must-secure
set status enable
next
end
next
end
|
Variable |
Description |
Default |
| <profile_name> | Enter a name for the MACsec profile. | No default |
| cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256} |
Select which cipher suite to use for encryption. |
GCM-AES-128 |
| confident-offset {0 | 30 | 50} | Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. | 0 |
| encrypt-traffic {enable | disable} | Enable or disable whether MACsec traffic is encrypted. | enable |
| include-macsec-sci {enable | disable} | Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). | enable |
| include-mka-icv-ind enable | The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. | enable |
| macsec-mode static-cak | Select the static-CAK mode. | static-cak |
| macsec-validate strict | The MACsec validation is always strict. | strict |
| mka-priority <0-255> | Enter the MACsec MKA priority. | 255 |
| replay-protect {enable | disable} | Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. |
disable |
| replay-window <0-16777215> |
Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats. |
32 |
| status {enable | disable} | Enable or disable this MACsec profile. | enable |
| config mka-psk | Configure the MACsec MKA pre-shared key. | |
| <pre-shared key name> | Enter a name for this MACsec MKA pre-shared key configuration. | No default |
| crypto-alg AES_128_CMAC | Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. | AES_128_CMAC |
| mka-cak <string> |
Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long. |
No default |
| mka-ckn <string> |
Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long. |
No default |
| status active |
The status of the pre-shared key pair is always active. |
active |
|
config traffic-policy |
Configure the MACsec traffic policy. |
|
|
<traffic_policy_name> |
Enter a name for this MACsec traffic policy. |
No default |
|
security-policy must-secure |
The policy must secure traffic for MACsec. |
must-secure |
|
status enable |
The status of this MACsec traffic policy is always enabled. |
enable |
For example:
config switch macsec profile
edit "staticcak"
set cipher_suite GCM-AES-128
set confident-offset 0
set encrypt-traffic enable
set include-macsec-sci enable
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority 199
config mka-psk
edit "2"
set crypto-alg AES_128_CMAC
set mka-cak "0123456789ABCDEF0123456789ABCDEE"
set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"
set status active
next
end
set replay-protect disable
set replay-window 32
set status enable
config traffic-policy
edit "2"
set security-policy must-secure
set status enable
next
end
next
end
To apply a PSK-mode MACsec profile to a port:
config switch interface
edit <port_name>
config port-security
set port-security-mode macsec
set macsec-pae-mode none
set macsec-profile <MACsec_profile_name>
end
next
end
For example:
config switch interface
edit port49
set native-vlan 50
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 49
config port-security
set port-security-mode macsec
set macsec-pae-mode none
set macsec-profile "macsec_profile1"
end
next
end
Configuring dynamic-CAK MACsec
For the dynamic-CAK mode, you need to do the following before creating the MACsec profile:
-
Specify the certificate authority (CA) for the MACsec CAK.
This is used in the
set eap-tls-ca-cert <CA_certificate>command in the MACsec profile. -
Import the client certificate to use for the MACsec CAK.
This is used in the
set eap-tls-cert <client_certificate>command in the MACsec profile. -
Configure the RADIUS server to use for MACsec CAK.
This is used in the
set eap-tls-radius-server <name_of_RADIUS_server>command in the MACsec profile.
To specify the CA for the MACsec CAK:
config system certificate ca
edit <CA_name>
next
end
For example:
config system certificate ca
edit "MACsec_CA"
next
end
To import the client certificate to use for the MACsec CAK:
config system certificate local
edit <certificate_name>
set password <passwd>
next
end
For example:
config system certificate local
edit "MACsec_certificate"
set password ENC jVXPqKiU35+clW0peV401S3G3y1wIKPnU0203VPqOou5bZn3uUGem6YUipSHPqME5Lb83KS9n9AmFHhIf6AkZgaiXBLSWcEczSk95MuZcAl/rS1fl3DIJZ1ev3scj35gANo7bZZq16n+ufqP1QIE2RcUBmqF/ctCdAUxn4BbUthahvj1
next
end
To configure the RADIUS server used for MACsec CAK:
config user radius
edit <RADIUS_server_name>
set secret <server_password>
set server <domain_ipv4_ipv6>
next
end
For example:
config user radius
edit "radiusserver"
set secret ENC mAKp/cPwUvJktZnfY4aT3Xlz6n+hZEdhO1safouKrY2Vousxu9kGUGx9NEZWargxMQOfkF8GtVqjgrs0pGoS+dHZohqwK4HDtmHmoC9AYsgen9Vmzp1CI0N/5uMr+jjAHYFPdUdW6VBawCAGUeYtXOFL5l74Y5H+Q6zju3qqhE84DO0k
set server "10.105.252.125"
next
end
To create a MACsec profile for dynamic-CAK mode:
config switch macsec profile
edit <MACsec_profile_name>
set cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256}
set confident-offset {0 | 30 | 50}
set eap-tls-ca-cert <CA_certificate>
set eap-tls-cert <client_certificate>
set eap-tls-identity <name_of_client>
set eap-tls-radius-server <name_of_RADIUS_server>
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set include-mka-icv-ind enable
set macsec-mode dynamic-cak
set macsec-validate strict
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
set status {enable | disable}
config mka-psk
edit <pre-shared key name>
set crypto-algAES_128_CMAC
set mka-cak <string>
set mka-ckn <string>
set status active
next
end
config traffic-policy
edit <traffic_policy_name>
set security-policy must-secure
set status enable
next
end
next
end
|
Variable |
Description |
Default |
| <profile_name> | Enter a name for the MACsec profile. | No default |
| cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256} |
Select which cipher suite to use for encryption. |
GCM-AES-128 |
| confident-offset {0 | 30 | 50} | Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. | 0 |
|
eap-tls-ca-cert <CA_certificate> |
Specify the certificate authority (CA) to use for the MACsec CAK. This option is available only when |
No default |
|
eap-tls-cert<client_certificate> |
Select the client certificate that you imported for the MACsec CAK. This option is available only when |
No default |
|
eap-tls-identity <name_of_client> |
Enter the name of the client for the MACsec CAK. This option is available only when |
No default |
|
eap-tls-radius-server <name_of_RADIUS_server> |
Enter the name of the RADIUS server to use for the MACsec CAK. This option is available only when |
No default |
| encrypt-traffic {enable | disable} | Enable or disable whether MACsec traffic is encrypted. | enable |
| include-macsec-sci {enable | disable} | Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). | enable |
| include-mka-icv-ind enable | The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. | enable |
| macsec-mode dynamic-cak | Select the dynamic-CAK mode. | static-cak |
| macsec-validate strict | The MACsec validation is always strict. | strict |
| mka-priority <0-255> | Enter the MACsec MKA priority. | 255 |
| replay-protect {enable | disable} | Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. |
disable |
| replay-window <0-16777215> |
Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats. |
32 |
| status {enable | disable} | Enable or disable this MACsec profile. | enable |
| config mka-psk | Configure the MACsec MKA pre-shared key. | |
| <pre-shared key name> | Enter a name for this MACsec MKA pre-shared key configuration. | No default |
| crypto-alg AES_128_CMAC | Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. | AES_128_CMAC |
| mka-cak <string> |
Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long. |
No default |
| mka-ckn <string> |
Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long. |
No default |
| status active |
The status of the pre-shared key pair is always active. |
active |
|
config traffic-policy |
Configure the MACsec traffic policy. |
|
|
<traffic_policy_name> |
Enter a name for this MACsec traffic policy. |
No default |
|
security-policy must-secure |
The policy must secure traffic for MACsec. |
must-secure |
|
status enable |
The status of this MACsec traffic policy is always enabled. |
enable |
For example:
config switch macsec profile
edit "dynamiccak"
set cipher_suite GCM-AES-128
set confident-offset 0
set eap-tls-ca-cert "MACsec_CA"
set eap-tls-cert "MACsec_certificate"
set eap-tls-identity "macsecclient"
set eap-tls-radius-server "radiusserver"
set encrypt-traffic enable
set include-macsec-sci enable
set include-mka-icv-ind enable
set macsec-mode dynamic-cak
set macsec-validate strict
set mka-priority 215
set replay-protect disable
set replay-window 32
set status enable
config traffic-policy
edit "trafficpolicy1"
set security-policy must-secure
set status enable
next
end
next
end
To apply a dynamic-CAK MACsec profile to a port that will act as the PAE supplicant:
config switch interface
edit <port_name>
config port-security
set port-security-mode macsec
set macsec-pae-mode supp
set macsec-profile <MACsec_profile_name>
end
next
end
For example:
config switch interface
edit "port25"
set auto-discovery-fortilink enable
set snmp-index 25
config port-security
set macsec-pae-mode supp
set macsec-profile "dynamiccak"
set port-security-mode macsec
end
next
end
To apply a dynamic-CAK MACsec profile to a port that will act as the PAE authenticator:
config switch interface
edit <port_name>
config port-security
set port-security-mode macsec
set macsec-pae-mode auth
set macsec-profile <MACsec_profile_name>
end
next
end
For example:
config switch interface
edit "port25"
set auto-discovery-fortilink enable
set snmp-index 25
config port-security
set macsec-pae-mode auth
set macsec-profile "dynamiccak"
set port-security-mode macsec
end
next
end
Viewing the MACsec details
To view the MACsec status for a specific port:
diagnose switch macsec status <port_name>
To view the MACsec traffic statistics for a specific port:
diagnose switch macsec statistics <port_name>
To view the creation and deletion of secure associations:
diagnose debug kernel level 8
Clearing the MACsec statistics
To clear all MACsec statistics on a single interface:
execute macsec clearstat interface <interface_name>
For example:
execute macsec clearstat interface port15
Resetting the MACsec statistics
To reset the MACsec session on a single interface on the server side or the client side:
execute macsec reset interface <interface_name>
For example:
execute macsec reset interface port15
Changing the link status
This command applies to the dynamic-CAK mode.
To change the link status and reset the MACsec session on a single interface for both the server side and the client side:
execute macsec toggle interface <interface_name>
For example:
execute macsec toggle interface port5