Exam 350-401 topic 1 question 301 discussion

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-ofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.

A is partially correct in describing the use of MKA protocol to negotiate encryption keys, but the key is not necessarily based on the primary session key from a successful 802.1X session

Do not focus only to host-switch Macsec. The Media Access Control Security (MACsec) standard is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. So macsec could be also used between two switches. So D is correct

A is correct

Answer D here is simple and to the point. Answer A has a lot of variables that allow for it to be incorrect. For one MACsec does not require 802.1x. Another point is that 802.1x is used to exchange the Master Session Key, not the primary session key. Although A seems correct, there's too many statements being made that can be picked apart, whereas I don't see how you could argue against D.

Answer A is correct IE switches support Pairwise Master Key (PMK) Security Association Protocol (SAP) based support for MACsec to interconnect links between the switches. The PMK keys can be either derived statically from the switch configuration (manual mode) or derived from the RADIUS server during dot1X negotiation (dynamic mode). Manual mode does not support switch-to-host MACsec connections because SAP is a Cisco proprietary protocol. The MACsec Key Agreement (MKA) enables configuration and control of keying parameters. MKA MACsec is supported on switch-to-switch links. Using IEEE 802.1X Port-based uthentication with Extensible Authentication Protocol (EAP-TLS), you can configure MKA MACsec between device ports. EAP-TLS allows mutual authentication and obtains an MSK (master session key) from which the connectivity association key (CAK) is derived for MKA protocol. Device certificates are carried, using EAP-TLS, for authentication to the AAA server.

A is 100% correct In summary, 802.1AE (MACsec) focuses on securing data at the link layer by providing encryption for frames on wired Ethernet networks. On the other hand, 802.1X is concerned with controlling access to the network by authenticating and authorizing devices attempting to connect to it. While they serve different purposes, they can be complementary, with 802.1X handling access control and authentication and 802.1AE providing an additional layer of security by encrypting data at the link layer.

Media Access Control Security (MACsec) is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie4010/software/release/15-2_4_EC/configuration/guide/scg-ie4010_5000/swmacsec.pdf

Per text Jheax and following link: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/www.cisco.com/content/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/swmacsec.html.xml

MacSec offers no authentication. 802.1X does. A is the answer.

Man, this is another one of those, both A and B are correct in my opinion based on the information here https://tinyurl.com/MACsec-topic, but it feels like A is the better answer.

According to the link https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf