Hostapd fails with "unknown packet type" when using wired 802.1x with MACSec

Derek Cardol derek.cardol at gmail.com
Sun Dec 3 11:52:12 PST 2017 

Hi all,

I am trying to set up wired 802.1x with MACSec using WPA_supplicant as
supplicant,
hostapd as authenticator, and RADIUS as authentication server. So far
I managed to
successfully authenticate as supplicant using EAP-TTLS. My next step
is to enable
MACSec, but this fails as hostapd does not recognize the packet type.

I configured WPA_supplicant with the "macsec_linux" driver enabled.
My .conf looks like this:

ctrl_interface=/run/wpa_supplicant
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=IEEE8021X
eap=TTLS
phase2="auth=PAP"
identity="user"
password="password"
ca_cert="/path/to/ca.pem"
eapol_flags=0
macsec_policy=1
}

Everything seems to be working fine on the supplicant side. After successful
EAPoL authentication it sends a MKA packet to the authenticator as shown below:

EAPOL authentication completed - result=SUCCESS
IEEE 802.1X: External notification - Create MKA for 78:34:af:c9:12:ap
EAPOL: Successfully fetched key (len=64)
Derived CAK - hexdump(len=16): [REMOVED]
Derived CKN - hexdump(len=16): ba 50 37 29 d7 3b ec 00 7e 0f 9e 1a 06 db f1 f7
KaY: Create transmit SC
SCI:  - hexdump(len=8): 3c 79 0e 11 a8 72 00 01
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_create_transmit_sc
KaY: Derived KEK - hexdump(len=16): [REMOVED]
KaY: Derived ICK - hexdump(len=16): [REMOVED]
KaY: Participant created: - hexdump(len=16): ba 50 37 29 d7 3b ec 00
7e 0f 9e 1a 06 db f1 f7
l2_packet_receive: src=78:34:af:c9:12:ap len=60
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 255
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 44
SCI MAC.......: 3c:79:0e:11:a8:72
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9f 68 e0 44 a9 7c 3d ba c2 78 0c a6
Message Number: 1
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=16):
     ba 50 37 29 d7 3b ec 00 7e 0f 9e 1a 06 db f1 f7   _P7)_;__~_______

Unfortunately, on the authenticator side, hostapd does not recognize
the packet type:

 enp5s0f1: CTRL-EVENT-EAP-SUCCESS2 3c:79:0e:11:a8:72
IEEE 802.1X: 3c:79:0e:11:a8:72 BE_AUTH entering state SUCCESS
enp5s0f1: STA 3c:79:0e:11:a8:72 IEEE 802.1X: Sending EAP Packet (identifier 109)
IEEE 802.1X: 3c:79:0e:11:a8:72 AUTH_PAE entering state AUTHENTICATED
enp5s0f1: STA 3c:79:0e:11:a8:72 IEEE 802.1X: authorizing port
enp5s0f1: STA 3c:79:0e:11:a8:72 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
IEEE 802.1X: 3c:79:0e:11:a8:72 BE_AUTH entering state IDLE
enp5s0f1: Event NEW_STA (22) received
enp5s0f1: Event EAPOL_RX (23) received
IEEE 802.1X: 72 bytes from 3c:79:0e:11:a8:72
   IEEE 802.1X: version=3 type=5 length=68
   unknown IEEE 802.1X packet type

This repeats for a total of 4 tries which all fail.

I assume my problem lies in the version of hostapd (hostapd
2.7-devel), which does
not support macsec. However, I am unable to find documentation how to
build hostapd
with macsec support or if it is possible at all? I hope you guys can
help me with this.


Best,
Derek

More information about the Hostap mailing list