The following table describes the key management modes in MACsec.
Keying |
Explanation |
SR OS support |
Where used |
|---|---|---|---|
Static Secure Association Key (SAK) |
Manually configures each node with a static SAK using CLI or NSP. |
N/A |
Switch to switch |
Static Connectivity Association Key (CAK) preshared key |
Uses dynamic MACsec Key Agreement (MKA) and uses a configured pre-shared key to derive the CAK. The CAK encrypts the SAK between two peers and authenticates the peers. |
Supported |
Switch to switch |
Dynamic CAK EAP Authentication |
Uses dynamic MKA and an EAP Master System Key (MSK) to derive the CAK. The CAK encrypts the SAK between two peers and authenticates the peers. |
Not Supported |
Switch to switch |
Dynamic CAK MSK Distribution via RADIUS and EAP-TLS |
MSKs are stored in the RADIUS server and distributed to the hosts via EAP-TLS. This is typically used in access networks where there are a large number of hosts using MACsec and connecting to an access switch. MKA uses MSK to derive the CAK. The CAK encrypts the SAK between 2 peers and authenticates the peers. |
Not Supported |
Host to switch |