MKA and group addresses (peers discovery)

Jaap Keuter jaap.keuter at
Tue Sep 28 23:08:17 PDT 2021


as you noticed peer discovery takes place using EAP-MKA frames, addressed as 802.1X PAE. On a `true` broadcast LAN this would suffice, with our switched LANs the peers become the switch ports. To influence this behaviour either the addressing needs to be changed (so the switch port won’t pick up the frames) or the switch needs to be made transparent for these frames. 

I don’t have experience with the context you’re working in, what I do know is that the Linux bridge has a sysctl for this. See this commit:


> On 26 Sep 2021, at 15:29, Ovidio Ruzzier <ovidioruzzier at> wrote:
> Hi all,
> I apologize if this question is more an open one than a close and
> related to wpa_supplicant.
> I'm trying to encrypt and authenticate traffic among three hosts. I
> use EVE-NG for that.
> I used first a normal switch provided by EVE-NG, then I used a Nexus 9000v
> When I manually configure MACsed everything works fine.
> When I use MKA things stop working.
> I realized that MKA uses EAPoL-MKA, does the IEEE standard say that? I
> don't have access to the standard but this breaks the possibility to
> have MKA across switches.
> The statement MACsec (actually MKA) is a hop-by-hop protocol is true
> because MKA is hop-by-hop because to discover neighbours it uses MAC
> group addresses
> Per-se it is not.
> Is there a way to change the way peers are discovered?
> Thanks.
> Ovidio

More information about the Hostap mailing list