Question on wpa_supplicant setup for MKA

John Glotzer jglotzer at
Thu May 25 23:12:45 PDT 2017

Hi Jaap and Sabrina,

I am trying to replicate what Jaap has described, which is to say to
use wpa_supplicant to drive the MKA between two MACSEC capable hosts.

I have set up statically configured MACSEC between two virtual
instances using Fedora26-Alpha which has the 4.11 kernel MACSEC
implementation and this all works as expected.

I don't think that the binary in the Fedora26 is sufficiently new
enough to support all that is needed (for example it rejects the
config line eapol_version=3) but in any case I want to build my own.

When I look at the source HEAD for hostap/wpa_supplicant I see that
while there are a lot of #ifdef checks for CONFIG_MACSEC in the source
I don't see an option in the defconfig file for turning on
CONFIG_MACSEC. Is this omission significant or do I just add the
CONFIG line anyway?

Also (and most importantly) what are the other CONFIG lines that I
should specify during the build?

Also is there a way to get the netlink support needed to send the
derived keys to the kernel after MKA completes? That is to say can the
entire end to end workflow be made to succeed up to and including
sending the derived keys to the kernel?

Thanks very much for any help you guys can offer, and thanks so much
for all of the excellent work in this area.

John Glotzer

More information about the Hostap mailing list