MACsec: EAPOL-MKA is not starting on hostap

Andrejs Aire an_aire at yahoo.com
Thu Nov 11 03:47:55 PST 2021 

Hi

I'm facing a problem with MACsec setup on wired connection with the 
latest hostap release v2.9.
My setup is trivial (just for testing) - HOSTAP and RADIUS on the same 
machine,
communicating via RADIUS protocol over 127.0.0.1;
The wpa_supplicant is requesting service from another machine connected 
to HOSTAP via network interface.
EAP frame exchange for authorization between wpa_supplicant and HOSTAP 
takes place via multicast address 01:80:c2:00:00:03.

The problem:
1) The wpa_supplicant is successfully authenticated @RADIUS which is 
indicated by the 'Success' EAP frame sent by the HOSTAP. At this moment 
the MKA should step in.
2) The wpa_supplicant sends an EAPOL-MKA frame which to my understanding 
is kind of heartbeat or indicator.
The HOSTAP does not respond with any EAPOL-MKA frames and does not send 
any EAPOL frame after.
3) The EAPOL-MKA "indicator" is repeated 3 times more by the 
wpa_supplicant and this is the end.

The fragment of debug trace from hostapd at the stage of authentication 
finish:
...
...
EAP: EAP entering state SUCCESS2
enp0s8: CTRL-EVENT-EAP-SUCCESS2 08:00:27:6e:f4:d8
IEEE 802.1X: 08:00:27:6e:f4:d8 BE_AUTH entering state SUCCESS
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: Sending EAP Packet 
(identifier 112)
IEEE 802.1X: 08:00:27:6e:f4:d8 AUTH_PAE entering state AUTHENTICATED
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: authorizing port
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: authenticated - EAP type: 13 
(TLS)
IEEE 802.1X: External notification - Create MKA for 08:00:27:6e:f4:d8
MACsec: Successfully fetched key (len=64)
MSK:  - hexdump(len=64): [REMOVED]
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id
...
...

The last two lines of the above trace point to a problem I cannot 
explain. Please advise.
My hostapd.conf settings are:
ieee8021x=1
eapol_version=3
eapol_key_index_workaround=0

use_pae_group_addr=1
driver=macsec_linux
macsec_policy=1
eap_server=0
own_ip_addr=127.0.0.1
radius_client_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123

Interesting is that if I use the same hostapd binary but change the 
hostapd.conf for the in-built EAP authenticator
instead of external RADIUS server, then the EAPOL-MKA wakes up and 
MACsec is successfully enabled.

The "Failed to get SessionID..." lines are not observed in the trace 
output and the HOSTAP sends EAPOL-MKA frames.
My hostapd.conf settings for a "good" case differ from above 
configuration only with 'eap_server=1' and paths to the user file and 
certificates.
Of course, the RADIUS related section is entirely commented out.

Please give me a clue what could be a problem in "bad" case. What is the 
root cause for the following trace output?
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id

Thanks in advance,
Andre

More information about the Hostap mailing list