2

I have created a wpa_supplicant.conf file for macsec. I'd like to use the the Macsec Key Agreement protocol to establish the session keys and create a secure channel.

I have the following wpa_supplicant.conf file.

[root@localhost ~]# cat wpa_eap-tls_MACsec.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=3
  network={
  eap=TLS
  eapol_flags=0
  key_mgmt=IEEE8021X
  identity="laptop"
  password="password"
  ca_cert="/root/ca.pem"
  client_cert="/root/laptop.pem"
  private_key="/root/laptop.key"
  private_key_passwd="password"
  macsec_policy=1
}
[root@localhost ~]#

I run the wpa_supplicant program

[root@localhost ~]#  wpa_supplicant -i eno1 -D macsec_linux -c /root/wpa_eap-tls_MACsec.conf -d

EAP-TLS authentication succeeds. I can see the keys agreed in the output and a macsec0 interface created. Yet "ip macsec show" does not show the macsec0 interface.

KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): b0 5c 16 7f 29 f8 7a 8a 42 68 c4 87 52 c1 11 00
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 8d 1f 1a 65 45 05 b0 bc 82 cf e7 13 5e 14 96 e4
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 03 ff f3 87 ee 26 d7 ba c0 19 27 97 18 68 98 5d
KaY: Participant timer (ifname=eno1)
KaY: participant removed
KaY: Delete transmit SC
macsec_linux: macsec0: delete_transmit_sc -> 78:2b:cb:a1:04:3a::1
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: idleWhile --> 0
EAPOL: disable timer tick

The ip-macsec(8) suggests to using wpa_supplicant for key management. How do i use the keys negotiated from wpa_supplicant on a macsec interface?

Thanks in advance for your help

hoffmeister
  • 121
  • 2

0 Answers0