MACsec: How do end devices work with MKA?

Hello,

I am studying about Switching security (specifically MACsec 802.1AE) base 802.1X Authentication.
I know that the step to establish a MACsec communication:

  • Firstly, an end device (supplicant) will be authenticated by exchange with an Authentication server (or Authenticator) for example using EAP-TLS…, After this step, the end device gets a Master Session Key (MSK). All end devices in a LAN which wants to use MACsec, need to authenticate with this Authentication Server.
  • Secondly, base on the MACsec Key Agreement (MKA) protocol, end devices will exchange MKA capabilities to elect a Secure Association Key (SAK) (1 end device will be choosing a Key Server, this KEY Server will generate a SAK using it MSK), this key is used to encrypted the user data and this SAK is distributed via ICK (Integrity Check Key) and KEK (Key Encrypting Key). SAK will be encrypted by KEK then send to other end devices with ICK also to check the integrity of the message.
  • Then, MACsec will be start base on 802.1AE

My question is:
After step 1, every end devices have an MSK but when 2 end devices implement MKA how they can authenticate each other?
When a Server Key is elected, the SAK of this Server Key is encrypted and distributed to other end devices --> How do other devices decrypt and get SAK for implementation MACsec.

Anyone can help me to answer this?
or do you know any documents explain about it?
Please comment in below.
Thank you in advance.

Ryan.