I have created a wpa_supplicant.conf file for macsec. I'd like to use the the Macsec Key Agreement protocol to establish the session keys and create a secure channel.
I have the following wpa_supplicant.conf file.
[root@localhost ~]# cat wpa_eap-tls_MACsec.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=3
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="laptop"
password="password"
ca_cert="/root/ca.pem"
client_cert="/root/laptop.pem"
private_key="/root/laptop.key"
private_key_passwd="password"
macsec_policy=1
}
[root@localhost ~]#
I run the wpa_supplicant program
[root@localhost ~]# wpa_supplicant -i eno1 -D macsec_linux -c /root/wpa_eap-tls_MACsec.conf -d
EAP-TLS authentication succeeds. I can see the keys agreed in the output and a macsec0 interface created. Yet "ip macsec show" does not show the macsec0 interface.
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 255
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 78:2b:cb:a1:04:3a@1
Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
Actor's Message Number: 1
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): b0 5c 16 7f 29 f8 7a 8a 42 68 c4 87 52 c1 11 00
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 255
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 78:2b:cb:a1:04:3a@1
Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
Actor's Message Number: 2
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 8d 1f 1a 65 45 05 b0 bc 82 cf e7 13 5e 14 96 e4
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 255
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 78:2b:cb:a1:04:3a@1
Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
Actor's Message Number: 3
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 03 ff f3 87 ee 26 d7 ba c0 19 27 97 18 68 98 5d
KaY: Participant timer (ifname=eno1)
KaY: participant removed
KaY: Delete transmit SC
macsec_linux: macsec0: delete_transmit_sc -> 78:2b:cb:a1:04:3a::1
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: idleWhile --> 0
EAPOL: disable timer tick
The ip-macsec(8) suggests to using wpa_supplicant for key management. How do i use the keys negotiated from wpa_supplicant on a macsec interface?
Thanks in advance for your help