Configuring a preshared key

In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation. To successfully establish an MKA session between two devices, make sure the connected MACsec ports are configured with the same preshared key.

A user-configured preshared key has higher priority than the 802.1X-generated CAK. To ensure a successful MKA session establishment, do not configure a preshared key in client-oriented mode.

To configure a preshared key:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set a preshared key.	mka psk ckn name cak simple string	By default, no MKA preshared key exists. The MACsec cipher suite supported by the device requires that the CKN and CAK each must be 32 characters long. If the configured CKN or CAK is not 32 characters long, the system performs the following operations when it runs the cipher suite: Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters. Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Set a preshared key.

mka psk ckn name cak simple string

By default, no MKA preshared key exists.

The MACsec cipher suite supported by the device requires that the CKN and CAK each must be 32 characters long. If the configured CKN or CAK is not 32 characters long, the system performs the following operations when it runs the cipher suite:

Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters.
Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.

prev	up	next
Enabling MACsec desire	home	Configuring the MKA key server priority