- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Programmability
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering, and MVR
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Campus Fabric
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring AVC with DNS-AS
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- X.509v3 Certificates for SSH Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Wired Guest Access
- Configuring Auto Identity
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring the Cisco IOS DHCP Server
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- DHCPv6 Options Support
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring ERSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- Configuring Easy Virtual Networks
- ROM Monitor
- Acronyms and Abbreviations
- Index
Configuring MACsec Encryption
This chapter describes how to configure Media Access Control Security (MACsec) encryption on the Catalyst 4500 series switch.
MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. The Catalyst 4500 series switch supports 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).
Note
MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the NPE license or with a LAN Base service image.
All downlink ports on a switch can run Cisco TrustSec MACsec link layer switch-to-switch security.
|
|
|
|
|---|---|---|
Cisco TrustSec and Cisco SAP are meant only for switch-to-switch links and are not supported on switch ports connected to end hosts, such as PCs or IP phones. MKA is supported on both switch-to-host facing links, and switch-to-switch links as well. Host-facing links typically use flexible authentication ordering for handling heterogeneous devices with or without IEEE 802.1X, and can optionally use MKA encryption. Cisco NDAC and SAP are mutually exclusive with Network Edge Access Topology (NEAT), which is used for compact switches to extend security outside the wiring closet.
This chapter includes the following major sections:
- Understanding Media Access Control Security and MACsec Key Agreement
- Configuring MACsec and MACsec Key Agreement
- Understanding MKA MACsec with EAP-TLS
- Understanding Cisco TrustSec MACsec
- Configuring Cisco TrustSec MACsec
Note For more information, refer to the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
For complete syntax and usage information for the switch commands used in this chapter, see the
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.
If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference , you can locate it in the Cisco IOS Master Command List, All Releases.
Understanding Media Access Control Security
and MACsec Key Agreement
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1X Extensible Authentication Protocol (EAP) and EAP-Transport Layer Security (EAP-TLS) framework. MKA MACsec supports both host facing links (links between network access devices and endpoint devices such as a PC or IP phone) and switch-to-switch links, beginning in Cisco IOS Release 15.2(5)E and Cisco IOS XE Release 3.9.0E.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the client. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a client) using the current session key.
The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic requirements of MKA are defined in 802.1X-2010. The MKA Protocol extends 802.1X to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by the peers.
Pre-shared keys (PSKs) are used to generate Connectivity Association Keys (CAKs). In symmetric cryptography, PSK means a key or a shared secret. This key is shared between parties before it is used. The PSK is used to generate the Key Encryption Key (KEK) and the integrity check value (ICV) Key (ICK).
Note PSK supports encryption using AES-GCM-128 encryption only and does not support AES-GCM-256.
In a switch-to-switch connection using the PSK, there is no concept of the authenticator, because of the EAP authentication on the switch. So the switch with highest priority becomes the Key Server (KS). In the current implementation, MKA can act as a non-KS without much change, except for accepting the PSK instead of the CAK.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the switch is the authenticator, it is also the key server, generating a random 128-bit secure association key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic transports to the partner at a default interval of 2 seconds.
The CAK and CKN will be derived from the configured PSK name and value
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes with no MKPDU received from a participant. For example, if a client disconnects, the participant on the switch continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from the client.
These sections provide more details:
- MKA Policies
- Key Lifetime and Hitless Key Rollover
- Encryption Algorithms for MKA Control Packets
- Virtual Ports
- MACsec
- MACsec, MKA, and 802.1X Host Modes
- MKA Statistics
MKA Policies
By default, the MKA protocol default policy is enabled on an interface. However, you can apply a defined MKA policy to an interface. Removing the MKA policy configures the default MKA policy on that interface.
You can configure these options:
- Policy name, not to exceed 16 ASCII characters.
- Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.
- Replay protection. You can configure MACsec window size, as defined by the number of out-of-order frames that are accepted. This value is used while installing the security associations in the MACsec. A value of 0 means that frames are accepted only in the correct order.
Note MKA is not supported in the Virtual Switching System (VSS) mode.
Key Lifetime and Hitless Key Rollover
A MACsec key chain (MKA) can have multiple pre-shared keys (PSKs) each configured with a key ID and an optional lifetime. A key lifetime specifies the time period the key is valid. In the absence of a lifetime configuration, the default lifetime is unlimited. MKA rolls over to the next configured valid pre-shared key in the key chain, when a valid key expires. Time zone of the key can be local or UTC. Default time zone is UTC.
MKA rolls over to the next configured valid pre-shared key in the key chain, when a valid key expires.
Use the key chain key-chain-name macsec to configure the MACsec key chain.
To roll over to the next key within the same key chain, configure a second key in the key chain, and a lifetime for the first key. When the lifetime of the first key expires, it automatically rolls over to the next key in the list. If the same key is configured on both sides of the link at the same time, then the key rollover is hitless, that is, key rolls over without traffic interruption.
Note The lifetime of the keys need to be overlapped to achieve hitless key rollover.
Encryption Algorithms for MKA Control Packets
Cryptographic algorithm selection for MKA control protocol packets encryption is as follows:
- The cryptographic algorithm to encrypt MKA control protocol packets is configured as part of the key chain. There can be only one cryptographic algorithm configured per key chain.
- A key server uses the configured MKA cryptographic algorithm from the key chain.
- All nonkey servers must use the same cryptographic algorithm as the key server.
If an MKA cryptographic algorithm is not configured, a default cryptographic algorithm of AES-CMAC-128 (Cipher-based Message Authentication Code with 128-bit Advanced Encryption Standard) is used.
The following is a sample encryption algorithm for data packets:
Switch(config-mka-policy)# macsec-cipher-suite gcm-aes-128
The following is a sample encryption algorithm for MKA control packets:
Switch(config)# key chain key-chain-name macsec
Switch (config-keychain-macsec)# key 01
Switch (config-keychain-macsec-key)# key-string 0001
Switch (config-keychain-macsec-key)# cryptographic-algorithm [ aes-128-cmac | aes-256-cmac ]
Virtual Ports
You use virtual ports for multiple secured connectivity associations on a single physical port. Each connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in the same VLAN on the same port. Because of this limitation, 802.1X multiple authentication mode is not supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host connected to the hub can send traffic without authentication because it is in multiple-host mode. We do not recommend using multi-host mode because after the first successful client, authentication is not required for other clients.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on the MAC address of the physical interface concatenated with a 16-bit port ID.
MACsec
A Catalyst 4500 series switch supervisor running MACsec maintains the configuration files that show which ports on the switch support MACsec. The supervisor-engine performs these functions:
MACsec, MKA, and 802.1X Host Modes
You can use MACsec and the MKA Protocol with 802.1X single-host mode, multiple-host mode, or Multi Domain Authentication (MDA) mode.
Single-Host Mode
MACsec in Single-Host Mode with a Secured Data Session shows how a single EAP authenticated session is secured by MACsec using MKA.
Figure 48-1 MACsec in Single-Host Mode with a Secured Data Session
Multiple-Host Mode
In standard (not 802.1X-2010) 802. multiple-host mode, a port is open or closed based on a single authentication. If one user, the primary secured client services client host, is authenticated, the same level of network access is provided to any host connected to the same port. If a secondary host is a MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a non-MACsec host can send traffic to the network without authentication because it is in multiple-host mode. See .
Figure 48-2 MACsec in Standard Multiple-Host Mode - Unsecured
We do not recommend using multi-host mode because after the first successful client, authentication is not required for other clients, which is not secure.
MKA Statistics
Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information about the status of MKA sessions.
This is an example of the show mka statistics command output:
For description of the output fields, see the command reference for this release.
Configuring MACsec and MACsec Key Agreement
- Default MKA MACsec Configuration
- Configuring an MKA Policy
- Configuring MACsec on an Interface
- Configuring MKA Pre-Shared Key
Default MKA MACsec Configuration
MACsec is disabled. No MACsec Key Agreement (MKA) policies are configured.
Configuring an MKA Policy
To create an MKA Protocol policy, perform this task. Note that MKA also requires that you enable 802.1X.
This example configures the MKA policy relay-policy :
Let's say that we configure an MKA policy as follows:
- The payload starting from the SA (source MAC address) + 50 bytes offset is encrypted.
- Replay protect is YES with a window size of 1000. If the frame received has a packet number (PN) of 1020, for example, all frames with a PN of 20 to 1020 can come out of order (i.e, frame with PN 900 can come first and frame with PN 800 can come later). However, if a frame with a PN of 1021 is received first, followed by a frame with a PN of 20, the frame with PN of 20 is dropped. In this scenario, the expected PN is 1022 and the window size is 1000, so the acceptable PN number is anything greater than or equal to (expected PN - window size) = 22. So, any frame with PN < 22 is dropped.
By default, the MKA protocol default policy is enabled on an interface, if no MKA policies are applied. All the values in the policy (such as confidentiality,offset, and replay protection) take the default values. For example,
Configuring MACsec on an Interface
To configure MACsec on an interface with one MACsec session for voice and one for data, perform this task:
This is an example of configuring and verifying MACsec on an interface:
Configuring MKA Pre-Shared Key
To configure MACsec Key Agreement (MKA) pre-shared key, perform this task:
This example shows how to configure MKA pre-shared key:
Example: Connectivity Association Key Rekey
The connectivity Association Key (CAK) is a long-lived master key that is used to generate all other keys needed for MKA/MACsec.
The CAK rekey happens in the following cases:
- When moving from Key 01 to Key 02 within the Key Chain K1.
- When moving from one Key Chain K1 to another Key Chain K2.
Note We recommend that you configure keys such that there is an overlap between the lifetime of the keys so that CAK rekey is successful and there is a seamless transition between the keys/CA (without any traffic loss or session restart.)
Understanding MKA MACsec with EAP-TLS
Beginning in Cisco IOS XE Release 3.9.0E, MKA MACsec is supported on switch-to-switch links on Cisco Catalyst 4500-X series switches and Cisco Catalyst 4500-E series switches with Supervisor Engine 8-E.
Using IEEE 802.1X Port-based Authentication with Extensible Authentication Protocol (EAP-TLS), you can configure MKA MACsec between device uplink ports. EAP-TLS allows mutual authentication and obtains an MSK (master session key) from which the connectivity association key (CAK) is derived for MKA operations. Device certificates are carried, using EAP-TLS, for authentication to the AAA server.
Note MKA MACsec is not supported on multi-point to multi-point links.
Prerequisites for MKA MACsec with EAP-TLS
- Ensure that you have a Certificate Authority (CA) server configured for your network.
- Generate a CA certificate.
- We recommend that you configure Cisco Identity Services Engine (ISE) Release 2.0.
- Ensure that both the participating devices, the CA server, and Cisco Identity Services Engine (ISE) are synchronized using Network Time Protocol (NTP).
- Ensure that 802.1x authentication and AAA are configured on your device.
Limitations for MKA MACsec with EAP-TLS
Understanding Certificate Enrollment
Certificate enrollment is the process of obtaining a certificate from a Certificate Authority (CA). Each end host that wants to participate in the Cisco IOS public key infrastructure (PKI) must obtain a certificate. Certificate enrollment occurs between the end host requesting the certificate and the CA. The figure below and the following steps describe the certificate enrollment process.
1. The end host generates an RSA key pair.
2. The end host generates a certificate request and forwards it to the CA.
3. The CA receives the certificate enrollment request, and, depending on your network configuration, one of the following options occurs:
– Manual intervention is required to approve the request.
– The end host is configured to automatically request a certificate from the CA. Thus, operator intervention is no longer required at the time the enrollment request is sent to the CA server.
Note If you configure the end host to automatically request certificates from the CA, you should have an additional authorization mechanism.
4. After the request is approved, the CA signs the request with its private key and returns the completed certificate to the end host.
5. The end host writes the certificate to a storage area such as NVRAM.
Generating RSA Key Pairs
To generate RSA key pairs, perform this task:
Configuring Enrollment using SCEP
Simple Certificate Enrollment Protocol (SCEP) is a Cisco-developed enrollment protocol that uses HTTP to communicate with the certificate authority (CA) or registration authority (RA). SCEP is the most commonly used method for sending and receiving requests and certificates.
Configuring Manual Enrollment
If your CA does not support SCEP or if a network connection between the router and CA is not possible. Perform the following task to set up manual certificate enrollment:
Ensure that you enroll both the participating devices and the RADIUS server to the PKI infrastructure.
For more information on PKI configuration, see the Public Key Infrastructure Configuration Guide .
Configuring MKA MACsec Using EAP-TLS
To configure MACsec with MKA on point-to-point links, perform these tasks:
Configuring EAP-TLS and 802.1x Credentials
To configure EAP-TLS and 802.1x credentials, perform the following task:
Configuring an Authentication Policy
To configure an authentication policy, perform the following task:
Applying the 802.1x and MKA MACsec Configuration on Interfaces
To apply 801.1x and MKA MACsec using EAP-TLS to interfaces, perform the following task:
Example: MKA MACsec Switch-to-Switch Configuration
Understanding Cisco TrustSec MACsec
Table 48-2 summarizes the Cisco TrustSec features supported on the switch. For more detailed explanations, see the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html#wp1054561
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security parameters, and manage keys. Successful completion of these tasks results in the establishment of a security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use one of these modes of operation:
- Galois Counter Mode (GCM)—authentication and encryption
- GCM authentication (GMAC)— GCM authentication, no encryption
- No Encapsulation—no encapsulation (clear text)
- Null—encapsulation, no authentication or encryption
Cisco TrustSec uses AES-128 GCM and GMAC and is compliant with the 802.1AE standard. GCM is not supported on switches running the NPE or the LAN Base image.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device to network device links, that is, switch-to-switch links. It is not supported on:
- Host facing access ports (these ports support MKA MACsec)
- Switch virtual interfaces (SVIs)
- SPAN destination ports
The switch also does not support security group ACLs.
You must set the Cisco TrustSec credentials to create the Cisco TrustSec network.
You can configure Cisco TrustSec link layer security in 802.1X mode or manual mode.
Configuring Cisco TrustSec MACsec
Following topics are discussed:
- Configuring Cisco TrustSec Credentials on the Switch
- Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode
- Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode
- Cisco TrustSec Switch-to-Switch Link Security Configuration Example
Note The sample configuration in the last section shows the AAA and the RADIUS configuration. Use this example to configure RADIUS and AAA before configuring switch-to-switch security.
Configuring Cisco TrustSec Credentials on the Switch
To enable Cisco TrustSec features, you must create Cisco TrustSec credentials on the switch to use in other TrustSec configurations.
To configure Cisco TrustSec credentials, perform this task:
To delete the Cisco TrustSec credentials, enter the clear cts credentials privileged EXEC command.
This example shows how to create Cisco TrustSec credentials:
Note Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed and non-seed devices. For 802.1X mode, you must configure at least one seed device, that device closest to the access control system (ACS). See this section in the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode
You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another Cisco TrustSec device. When configuring Cisco TrustSec in 802.1X mode on an interface, follow these guidelines:
- To use 802.1X mode, you must globally enable 802.1X on each device.
- If you select GCM as the SAP operating mode, you must have a MACsec encryption software license from Cisco.
Note MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the NPE license or with a LAN Base service image.
If you select GCM without the required license, the interface is forced to a link-down state.
To configure Cisco TrustSec switch-to-switch link layer security with 802.1X, perform this task:
This example shows how to enable Cisco TrustSec authentication in 802.1X mode on an interface using GCM as the preferred SAP mode:
Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode
If your switch does not have access to an authentication server or if 802.1X authentication is not needed, you can manually configure Cisco TrustSec on an interface. You must manually configure the interface on each end of the connection.
When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:
- If no SAP parameters are defined, neither encryption nor MACsec Encapsulation are performed.
- If you select GCM as the SAP operating mode, you must have a MACsec Encryption software license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state.
- These protection levels are supported when you configure SAP pairwise master key ( sap pmk):
– SAP is not configured—no protection.
– sap mode-list gcm-encrypt gmac no-encap —protection desirable but not mandatory.
– sap mode-list gcm-encrypt gmac— confidentiality preferred and integrity required. The protection is selected by the supplicant according to supplicant preference.
– sap mode-list gmac —integrity only.
– sap mode-list gcm-encrypt —confidentiality required.
– sap mode-list gmac gcm-encrypt —integrity required and preferred, confidentiality optional.
To manually configure Cisco TrustSec on an interface to another Cisco TrustSec device, perform this task:
This example shows how to configure Cisco TrustSec authentication in manual mode on an interface:
Cisco TrustSec Switch-to-Switch Link Security Configuration Example
This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example, ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.
Switch(config)# aaa new-model
Switch(config)# aaa group server radius cts-radius
Switch(config-sg-radius)# server name ACS-1
Switch(config-sg-radius)# server name ACS-2
Switch(config-sg-radius)# server name ACS-3
Switch(config-sg-radius)# exit
Switch(config)# aaa authentication login default none
Switch(config)# aaa authentication dot1x default group cts-radius
Switch(config)# aaa authentication network cts-radius group radius
Switch(config)# aaa session-id common
Switch(config)# cts authorization list cts-radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface gi1/1/2
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# cts dot1x
Switch(config-if-cts-dot1x)# sap mode-list gcm-encrypt gmac
Switch(config-if-cts-dot1x)#exit
Switch(config-if)# exit
Switch(config)# interface gi1/1/4
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# cts manual
Switch(config-if-cts-dot1x)# sap pmk 033445AABBCCDDEEFF mode-list gcm-encrypt gmac
Switch(config-if-cts-dot1x)# no propagate sgt
Switch(config-if-cts-dot1x)# exit
Switch(config-if)# exit
Switch(config)# radius-server vsa send authentication
Switch(config)# end
Switch(config-if)# shutdown
Switch(config-if)# shutdown
Switch(config-if-cts-dot1x)# no propagate sgt
Feedback