Visible to Intel only — GUID: twg1672429753553
Ixiasoft
Visible to Intel only — GUID: twg1672429753553
Ixiasoft
6.7.2. WPA_Supplicant
Wpa_supplicant: It uses a config file that includes pre-shared CAK and CKN keys on both hosts. Two peers achieve mutual authentication via exchanging MKA keys. The MACsec Key Agreement protocol uses EAPoL PDUs to transmit and receive MKPDUs securely among each other.
Secure associations using these keys are configured on both hosts. The wpa_supplicant translates the information derived through MKA and configures the kernel's MACsec implementation.
Kernel: It configures the CSR region, and when traffic is initiated, it sends packets protected by MACsec on the "MACsec0" interface, which is a separate network device dedicated to encrypted traffic.
Steps 3 and 4 (as mentioned in the above diagram) are later repeated (as many times as necessary) while wpa_supplicant keeps running to transition to a new key when the current key expires.
ctrl_interfaces=/var/run/wpa_supplicant
eapol_version=3
ap_scan=0
fast_reauth=1
# Example Configuration for MACsec with preshared key
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
mka_cak=0123456789ABCDEF123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
mka_priority=2
macsec_integ_only=0
macsec_port=0
macsec_replay_protect=1
macsec_replay_window=50
#Newly_added
macsec_val_frames=2
mka_cipher_suit="GCM-AES-XPN-256"
macsec_ssci=0xABCD
macsec_scb=0
macsec_es=0
macsec_send_sci=1
}
Command: ./wpa_supplicant -i ens801f0 -D macsec_linux -c wpa_supplicant_MACsec.conf
Where, -i: Interface to be used; -D: Driver to be used; -c: Config file.