hostapd authenticator for MKA

Jouni Malinen j at
Sat Apr 13 01:38:00 PDT 2019

On Sun, Apr 07, 2019 at 05:25:21PM -0700, Alan Carr wrote:
> I was searching around and I just wanted to confirm that right now MKA for
> MACSEC is not supported under hostapd as the authenticator.
> I took a git clone and tried using eapol_version=3 with hostapd to match the
> requirement for wpa_supplicant but it appears to not be supported:

eapol_version=3 is not really the key point about enabling MKA since
EAPOL version 3 could be used for any purpose with EAPOL frames, but
anyway, hostapd does not yet have support for MKA/MACsec.

> Is the only way to use MKA on two Linux machines to used shared CAK/CKN via
> two wpa_supplicants?
> Obviously excluding any proprietary MKA stacks that are out there.
> My goal was to use hostapd as the authenticator with a local radius support,
> and authenticate one or more client/wpa_supplicants for MACSEC using MKA.

I'm not sure whether there are any "non proprietary" implementations,
but as far as the upstream hostapd/wpa_supplicant project is concerned,
the only currently supported option is use of wpa_supplicant with the
features it enables. There has been some interest in extending hostapd
support in the related area, but at least as of now, no such
functionality has been contributed to the project.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list