Question on wpa_supplicant setup for MKA

Jaap Keuter jaap.keuter at
Sat May 27 10:03:07 PDT 2017

Hi John,

See my comments inline.

On 26-05-17 08:12, John Glotzer wrote:
> Hi Jaap and Sabrina,
> I am trying to replicate what Jaap has described, which is to say to
> use wpa_supplicant to drive the MKA between two MACSEC capable hosts.
> I have set up statically configured MACSEC between two virtual
> instances using Fedora26-Alpha which has the 4.11 kernel MACSEC
> implementation and this all works as expected.
> I don't think that the binary in the Fedora26 is sufficiently new
> enough to support all that is needed (for example it rejects the
> config line eapol_version=3) but in any case I want to build my own.

The required additions were included after hostap/wpa_supplicant 2.6 was
released, so you'll need bleeding edge (aka. git HEAD) software build and
running on your setup.

> When I look at the source HEAD for hostap/wpa_supplicant I see that
> while there are a lot of #ifdef checks for CONFIG_MACSEC in the source
> I don't see an option in the defconfig file for turning on
> CONFIG_MACSEC. Is this omission significant or do I just add the
> CONFIG line anyway?
> Also (and most importantly) what are the other CONFIG lines that I
> should specify during the build?

I've been sitting on a patch exactly with the purpose of documenting these (I
was holding back for Jouni to consider my previous pending patch first), but now
you've forced my hand. See "[PATCH] Add config information related to MACsec"
for the information you seek.

> Also is there a way to get the netlink support needed to send the
> derived keys to the kernel after MKA completes? That is to say can the
> entire end to end workflow be made to succeed up to and including
> sending the derived keys to the kernel?

Also here you have to have a fairly recent libnl installed, or build. I've been
working with libnl 3.2.29, which was not yet packaged, so I did that myself and
installed that for testing.

> Thanks very much for any help you guys can offer, and thanks so much
> for all of the excellent work in this area.
> John Glotzer


More information about the Hostap mailing list