Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

MACSec information

This thread has been viewed 15 times

  • 1.  MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 04:58 AM

    Hi,

     

    I see on the datasheet for the AP135 "MACSec authentication and encryption on Ethernet ports enable secure AP deployment by interoperating with the MACSec capability on Aruba Mobility Access Switches and other wiring closet equipment."

     

    However I've searched all the documentation for "macsec" and there is no mention of it.  Is this feature configurable or is it just plug and play with the AP135 and Aruba switch?  What about other switch vendors that support macsec and how do I configure it?

     

    Thanks



  • 2.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 08:19 AM

    Our switches have hardware support for MACSec but it isn't supported in our software...yet.



  • 3.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 10:41 AM

    Just to add to Seth's comments, the APs also just have hardware support for MACSec today. I've reached out to the PLM team to clarify the datasheet.

     

    If you'd like to see the software support implemented, I recommened submitting a request into the idea portal:

     

    https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp

     

    Best regards,

     

    Madani



  • 4.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 10:51 AM
    @madjali wrote:

    Just to add to Seth's comments, the APs also just have hardware support for MACSec today. I've reached out to the PLM team to clarify the datasheet.

     

    If you'd like to see the software support implemented, I recommened submitting a request into the idea portal:

     

    https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp

     

    Best regards,

     

    Madani

    Do you mean by 'hardware support' that just plug the AP135 into a MAS and MACSec is enabled between the two?

     

    What about using other switch vendors that support MACSec, as the data sheet suggests?

     

     



  • 5.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 10:52 AM

    Hardware support as in the chipset supports it, but it needs to be added to the code in order to function.



  • 6.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 10:58 AM

    It will not be plug and play.  Some config work will have to happen to enable MACSec on the port.  For example, on Cisco, the config looks like this:

     

    Switch(config)# interface GigabitEthernet1/0/25

    Switch(config-if)# switchport access vlan 10

    Switch(config-if)# switchport mode access

    Switch(config-if)# macsec

    Switch(config-if)# authentication event linksec fail action authorize vlan 2

    Switch(config-if)# authentication host-mode multi-domain
    Switch(config-if)# authentication linksec policy must-secure

    Switch(config-if)# authentication port-control auto

    Switch(config-if)# authentication violation protect

    Switch(config-if)# mka policy replay-policy

    Switch(config-if)# dot1x pae authenticator

    Switch(config-if)# spanning-tree portfast

    Switch(config-if)# end 



  • 7.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 11:00 AM
    And Tim is correct, the chipset on the AP supports MACSec but AOS does not support it yet from a software perspective.


  • 8.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 11:04 AM

    ok, thanks for that. 

     

    Bit naughty and misleading though given it's mentioned in the datasheet with the implication being that it works  !!!

     

    Any idea on the timeline for this feature?



  • 9.  RE: MACSec information

    EMPLOYEE
    Posted Jul 24, 2013 11:09 AM
    I apologize for the confusion. Our AP PLM is getting the datasheets adjusted to reflect future support for MACSec from a software perspective.

    I would recommend reaching out to your Partner SE or Aruba SE for details about roadmap.

    Best regards,

    Madani



  • 10.  RE: MACSec information

    Posted Nov 14, 2014 04:39 PM

    Hi Madani et al,

    I am new to Aruba's products, so am only now looking at these products (and their data sheets) for the first time.
    Am I correct in assuming that, because the datasheets do not explicitly state this functionality is still pending software implementation, at some point since this question was asked (c. 16 months ago) MACsec has been fully implemented?
    If so, could someone point me to documentation re how MACsec can be configured on these access points?
    Kind regards,
    Alan


  • 11.  RE: MACSec information

    EMPLOYEE
    Posted Nov 17, 2014 08:58 AM

    Alan,

    MACSec is not supported on the Access Point at this time. I would recommend requesting it via the Idea Portal.

     

    https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp

     

    Best regards,

     

    Madani