Listing 1: MACsec-Downlink zu Endgerät

radius server macsec1
address ipv4 192.0.2.1 auth-port 1812
acct-port 1813
key t0ps3cr3t
!
radius server macsec2
address ipv4 192.0.2.2 auth-port 1812
acct-port 1813
key t0ps3cr3t
!
aaa group server radius macsec
server name macsec1
server name macsec2
!
aaa new-model
aaa authentication dot1x default group macsec
aaa authorization network default group
macsec
aaa accounting dot1x default start-stop group
macsec
!
dot1x system-auth-control
!
mka policy ITA_MKA
key-server priority 100
macsec-cipher-suite gcm-aes-128
confidentiality-offset 0
replay-protection window-size 10
!
interface GigabitEthernet2/0/1
description ITA_MACsec_Client
switchport mode access
switchport access vlan 10
macsec
authentication host-mode multi-auth
authentication order dot1x
authentication port-control auto
dot1x pae authenticator
authentication linksec policy must-secure
mka policy ITA_MKA
spanning-tree portfast


Listing 2: MACsec-Uplink zu Switch

key chain ITA macsec
key 1000
cryptographic-algorithm aes-256-cmac
key-string 12345678911234567890123456789012
!
mka policy ITA_MKA_Switch
key-server priority 100
macsec-cipher-suite gcm-aes-256
confidentiality-offset 30
!
interface TenGigabitEthernet1/0/1
description ITA_MACsec_Client
switchport mode trunk
macsec network-link
mka policy ITA_MKA_Switch
mka pre-shared-key key-chain ITA