The MIB module for managing the Port Access Entity (PAE)
functions of IEEE 802.1X (Revision of 802.1X-2004).
The PAE functions managed are summarized in Figure 12-3 of
IEEE 802.1X and include EAPOL PACP support for authentication
(EAP Supplicant and/or Authenticator), MACsec Key Agreement
(MKA), EAPOL, and transmission and reception of network
The following acronyms and definitions are used in this MIB.
AN : Association Number, a number that is concatenated with a
MACsec Secure Channel Identifier to identify a Secure
Announcer : EAPOL-Announcement transmission functionality.
Authenticator : An entity that facilitates authentication of
other entities attached to the same LAN.
CA : secure Connectivity Association: A security relationship,
established and maintained by key agreement protocols, that
comprises a fully connected subset of the service access
points in stations attached to a single LAN that are to be
supported by MACsec.
CAK : secure Connectivity Association Key, a secret key
possessed by members of a given CA.
CKN : secure Connectivity Association Key Name (CKN), a text
that identifies a CAK.
Common Port : An instance of the MAC Internal Sublayer Service
used by the SecY or PAC to provide transmission and
reception of frames for both the Controlled and
Controlled Port : The access point used to provide the secure
MAC Service to a client of a PAC or SecY.
CP state machine : Controlled Port state machine is capable of
controlling a SecY or a PAC. The CP supports
interoperability with unauthenticated systems that are not
port-based network access control capable, or that lack
MKA. When the access controlled port is supported by a
SecY, the CP is capable of controlling the SecY so as to
provide unsecured connectivity to systems that implement a
EAP : Extensible Authentication Protocol, RFC3748.
EAPOL : EAP over LANs.
KaY : Key Agreement Entity, a PAE entity responsible for MKA.
Key Server : Elected by MKA, to transport a succession of SAKs,
for use by MACsec, to the other member(s) of a CA.
KMD : Key Management Domain, a string identifying systems that
share cached CAKs.
Listener : The role is to receive the network announcement
parameters in the authentication process.
Logon Process : The Logon Process is responsible for the
managing the use of authentication credentials, for
initiating use of the PAE's Supplicant and or Authenticator
functionality, for deriving CAK, CKN tuples from PAE
results, for maintaining PSKs (Pre-Sharing Keys), and for
managing MKA instances. In the absence of successful
authentication, key agreement, or support for MAC Security,
the Logon Process determines whether the CP state machine
should provide unauthenticated connectivity or
authenticated but unsecured connectivity.
MKA : MACsec Key Agreement protocol allows PAEs, each
associated with a port that is an authenticated member of a
secure connectivity association (CA) or a potential CA, to
discover other PAEs attached to the same LAN, to confirm
mutual possession of a CAK and hence to prove a past mutual
authentication, to agree the secret keys (SAKs) used by
MACsec for symmetric shared key cryptography, and to ensure
that the data protected by MACsec has not been delayed.
MKPDU : MACsec Key Agreement Protocol Data Unit.
MPDU : MAC Protocol Data Unit.
NID : Network Identity, a UTF-8 string identifying an network
or network service.
PAE : Port Access Entity, the protocol entity associated with a
Port. It can support the protocol functionality
associated with the Authenticator, the Supplicant, or
PAC : Port Access Controller, a protocol-less shim that
provides control over frame transmission and reception by
clients attached to its Controlled Port, and uses the MAC
Service provided by a Common Port. The access control
decision is made by the PAE, typically taking into
account the success or failure of mutual authentication
and authorization of the PAE's peer(s), and is
communicated by the PAE using the LMI to set the PAC's
Controlled Port enabled/disable. Two different interfaces
'Controlled Port' and 'Uncontrolled Port', are associated
with a PAC, and that for each instance of a PAC, two
ifTable rows (one for each interface) run on top of an
ifTable row representing the 'Common Port' interface,
such as a row with ifType = 'ethernetCsmacd(6)'.
For example :
| | |
| Controlled Port | Uncontrolled Port |
| Interface | Interface |
| (ifEntry = j) | (ifEntry = k) |
| (ifType = | (ifType = |
| macSecControlledIF(231)) | macSecUncontrolledIF(232))|
| | |
| Physical Interface |
| (ifEntry = i) |
| (ifType = ethernetCsmacd(6)) |
i, j, k are ifIndex to indicate
an interface stack in the ifTable.
Figure : PAC Interface Stack
The 'Controlled Port' is the service point to provide one
instance of the secure MAC service in a PAC. The
'Uncontrolled Port' is the service point to provide one
instance of the insecure MAC service in a PAC.
PACP : Port Access Controller Protocol.
Port Identifier : A 16-bit number that is unique within the
scope of the address of the port.
Real Port : Indicates the PAE is for a real port. A port that
is not created on demand by the mechanisms specified in
this standard, but that can transmit and receive frames for
one or more virtual ports.
SC : Secure Channel, a security relationship used to provide
security guarantees for frames transmitted from one member
of a CA to the others. An SC is supported by a sequence of
SAs thus allowing the periodic use of fresh keys without
terminating the relationship.
SA : Secure Association, a security relationship that provides
security guarantees for frames transmitted from one member
of a CA to the others. Each SA is supported by a single
secret key, or a single set of keys where the cryptographic
operations used to protect one frame require more than one
SAK : Secure Association key, the secret key used by an SA.
SCI : Secure Channel Identifier, a globally unique identifier
for a secure channel, comprising a globally unique MAC
Address and a Port Identifier, unique within the system
allocated that address.
secured connectivity : Data transfer between two or 'Controlled
Ports' that is protected by MACsec.
SecY : MAC Security Entity, the entity that operates the MAC
Security protocol within a system.
Supplicant : An entity at one end of a point-to-point LAN
segment that seeks to be authenticated by an Authenticator
attached to the other end of that link.
Suspension: Temporary suspension of MKA operation to facilitate
in-service control plane software upgrades without
disrupting existing secure connectivity.
Uncontrolled Port : The access point used to provide the
insecure MAC Service to a client of a SecY or PAC.
Virtual Port : Indicates the PAE is for a virtual port. A MAC
Service or Internal Sublayer service access point that is
created on demand. Virtual ports can be used to provide
separate secure connectivity associations over the same