MACsec key management modes

There are four main, key management modes in MACsec. Table 1 describes these management modes.

Table 1. MACsec key management modes
Keying Explanation SR OS support Where used

Static SAK

Manually configures each node with a static SAK, SAM, or CLI

Switch to switch

Static CAK PRE SHARED KEY

Uses a dynamic MACsec Key Management (MKA) and uses a configured pre shared key to drive the CAK.

The CAK encrypts the SAK between two peers and authenticates the peers

Switch to switch

Dynamic CAK EAP Authentication

Uses a dynamic MKA and an EAP Master System Key (MSK) to drive the CAK.

The CAK encrypts the SAK between two peers and authenticates the peers

Switch to switch

Dynamic CAK MSK distribution via RADIUS and EAP-TLS

Stores the MSKs in the Radius server and distributes to the hosts via EAP-TLS. This is typically used in the access networks where a large number of hosts use MACsec and connect to an access switch.

MKA uses MSK to drive the CAK. The CAK encrypts the SAK between 2 peers and authenticates the peers

Host to switch