Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Insurmountable compatibility MacSec IEEE 802.1AE problems AOS Switch to AOS-CX Switch

This thread has been viewed 14 times
  • 1.  Insurmountable compatibility MacSec IEEE 802.1AE problems AOS Switch to AOS-CX Switch

    Posted Jan 18, 2024 06:27 AM

    Please advice, anyone with working switches ?



    ------------------------------
    Steinar
    ------------------------------


  • 2.  RE: Insurmountable compatibility MacSec IEEE 802.1AE problems AOS Switch to AOS-CX Switch
    Best Answer

    Posted Jan 22, 2024 11:07 AM

    From CX manual:

    Specifies the CKN (Connectivity Association Key Name). Range: 1 to 64 hexadecimal characters

    Specifies the CAK (Connectivity Association Key) in plaintext. Range: 1 to 64 hexadecimal characters.

    AOS:

    Enter the CKN as a string of hexadecimal digits up to 32 characters long

    Enter the CAK as a string of hexadecimal digits up to 64 characters long

    This mean that for the AOS the CAK limitation is 32 byte ascii/characters 

    • Bee aware some other setting smay be accepted, during input.

    ie, a 34 characters ascii CAK will be silent truncated....to 32 characters

    ie.:

    12345678901234567890123456789012

    and

    1234567890123456789012345678901234

    will both work, in AOS >< CX MacSec (on AOS side)

    as

    12345678901234567890123456789012

    on CX side will

    • So: stay with CKN/CAK 32/32 ascii/characters. (digits and letters)


    ------------------------------
    Steinar
    ------------------------------



  • 3.  RE: Insurmountable compatibility MacSec IEEE 802.1AE problems AOS Switch to AOS-CX Switch

    Posted Apr 11, 2024 04:04 AM

    Hi Steinar,

    I had the same problem.

    Adjusting the key server priority solved it for me.

    The AOS switch must be the key server.

    In my case, the AOS had a priority of 16 (show port-access mka status)

    (The default prio of the AOS-CX is 0)

    So I gave the AOS-CX the maximum priority of 255 (key-server-priority 255 (on the mka policy context))

    Best regards

    Robin