3

I have created a wpa_supplicant.conf file for macsec. I'd like to use the the Macsec Key Agreement protocol to establish the session keys and create a secure channel.

I have the following wpa_supplicant.conf file.

[root@localhost ~]# cat wpa_eap-tls_MACsec.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=3
  network={
  eap=TLS
  eapol_flags=0
  key_mgmt=IEEE8021X
  identity="laptop"
  password="password"
  ca_cert="/root/ca.pem"
  client_cert="/root/laptop.pem"
  private_key="/root/laptop.key"
  private_key_passwd="password"
  macsec_policy=1
}
[root@localhost ~]#

I run the wpa_supplicant program

[root@localhost ~]#  wpa_supplicant -i eno1 -D macsec_linux -c /root/wpa_eap-tls_MACsec.conf -d

EAP-TLS authentication succeeds. I can see the keys agreed in the output and a macsec0 interface created. Yet "ip macsec show" does not show the macsec0 interface.

KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): b0 5c 16 7f 29 f8 7a 8a 42 68 c4 87 52 c1 11 00
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 8d 1f 1a 65 45 05 b0 bc 82 cf e7 13 5e 14 96 e4
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 03 ff f3 87 ee 26 d7 ba c0 19 27 97 18 68 98 5d
KaY: Participant timer (ifname=eno1)
KaY: participant removed
KaY: Delete transmit SC
macsec_linux: macsec0: delete_transmit_sc -> 78:2b:cb:a1:04:3a::1
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: idleWhile --> 0
EAPOL: disable timer tick

The ip-macsec(8) suggests to using wpa_supplicant for key management. How do i use the keys negotiated from wpa_supplicant on a macsec interface?

Thanks in advance for your help

hoffmeister
  • 131
  • 3
  • Did you ever manage to figure this out? I'm trying to do a similar setup and having major issues from the hostapd side wth hostapd not recognizing the configuration parameters. I posted my issue [here](https://stackoverflow.com/questions/74381944/how-to-configure-hostapd-for-macsec) in stackoverflow, but like most other questions I've found on this its dead silent. Would appreciate any info you might be able to provide since it seems like you might have been able to get the authenticator side up and running. – A. Trevelyan Nov 10 '22 at 19:07

0 Answers0