There are four main, key management modes in MACsec. Table 1 describes these management modes.
| Keying | Explanation | SR OS support | Where used |
|---|---|---|---|
Static SAK |
Manually configures each node with a static SAK, SAM, or CLI |
Switch to switch |
|
Static CAK PRE SHARED KEY |
Uses a dynamic MACsec Key Management (MKA) and uses a configured pre shared key to drive the CAK. The CAK encrypts the SAK between two peers and authenticates the peers |
✓ |
Switch to switch |
Dynamic CAK EAP Authentication |
Uses a dynamic MKA and an EAP Master System Key (MSK) to drive the CAK. The CAK encrypts the SAK between two peers and authenticates the peers |
Switch to switch |
|
Dynamic CAK MSK distribution via RADIUS and EAP-TLS |
Stores the MSKs in the Radius server and distributes to the hosts via EAP-TLS. This is typically used in the access networks where a large number of hosts use MACsec and connect to an access switch. MKA uses MSK to drive the CAK. The CAK encrypts the SAK between 2 peers and authenticates the peers |
Host to switch |