MACsec applications
MACsec supports the following application modes:
Client-oriented mode—Secures data transmission between the client and the access device. The client can be a user terminal seeking access to the LAN or a device that supports the 802.1X client feature. In this mode, the authentication server generates and distributes the CAK to the client and the access device. In this mode, MACsec must operate with 802.1X authentication.
Figure 156: Client-oriented mode
![[NOTE: ]](images/note.png) | NOTE: In client-oriented mode, an MKA-enabled port on the access device must perform port-based 802.1X access control. The authentication method must be EAP relay. | |
Device-oriented mode—Secures data transmission between devices. Unlike the client-oriented mode, in this mode, the devices do not perform identity authentication, and the same preshared key must be configured on the MACsec ports that connect the devices. The devices use the configured preshared key as the CAK.
Figure 157: Device-oriented mode
