sap (cts dot1x interface submode)
sap (cts dot1x interface submode)
Use the sap mode-list command to select the Security Association Protocol (SAP) authentication and
encryption modes to negotiate link encryption between two interfaces. Use the no form of the command
to remove a modelist and revert to the default.
Syntax Description
mode-list
gcm-encrypt
gmac
no-encap
null
Defaults
The default encryption is sap modelist gcm-encrypt null. When the peer interface does not support
dot1x, 802.1AE MACsec, or 802.REV layer-2 link encryption, the default encryption is null.
Command Modes
CTS dot1x interface submode(config-if-cts-dot1x)
Supported User Roles
Administrator
Command History
Release
12.2(50) SY
IOS-XE 3.3.0 SG
IOS 15.0(1) SE
Usage Guidelines
Use the sap mode-list command to specify the authentication and encryption method to use during
Dot1x authentication.
The Security Association Protocol (SAP) is an encryption key derivation and exchange protocol based
on a draft version of the 802.11i IEEE protocol. SAP is used to establish and maintain the 802.1AE
link-to-link encryption (MACsec) between interfaces that support MACsec.
Before the SAP exchange begins after a Dot1x authentication, both sides (supplicant and authenticator)
have received the Pairwise Master Key (PMK) and the MAC address of the peer's port from the Cisco
Secure Access Control Server (Cisco Secure ACS). If 802.1X authentication is not possible, SAP, and
the PMK can be manually configured between two interfaces in CTS manual configuration mode.
If a device is running CTS-aware software but the hardware is not CTS-capable, disallow encapsulation
with the sap modelist no-encap command.
Cisco TrustSec Configuration Guide
7-70
[no] sap mode-list {gcm-encrypt | gmac | no-encap | null} [gcm-encrypt | gmac | no-encap |
null] . . .}
Lists advertised SAP authentication and encryption modes (prioritized from
highest to lowest)
Specifies GMAC authentication, GCM encryption
Specifies GMAC authentication only, no encryption
Specifies no encapsulation
Specifies encapsulation present, no authentication, no encryption
Modification
This command was introduced on the Catalyst 6500 Series Switches.
This command was introduced on the Catalyst 4500 Series Switches.
This command was introduced on the Catalyst 3000 Series Switches.
Chapter 7
Cisco TrustSec Command Summary
OL-22192-01