Question on wpa_supplicant setup for MKA (Jaap Keuter)

John Glotzer jglotzer at
Sat May 27 13:07:50 PDT 2017

Hi Jaap,

Thanks so much for the helpful and quick reply and most especially for
the patch.

Few things - after writing my email I got things working which I was
very happy about.

For wpa_supplicant build config I went to

took that and just commented out the DBUS stuff - and yes I was
building from HEAD.

For libnl the binary in Fedora26 I notice was 3.3.3 so I think I got
lucky there.

For runtime config and command line arguments I just cobbled together
these from what you and Sabrina used.

The thing is - it all "just worked" - great news.

My next steps will be to ingest your patch and then to try to
understand the inner workings a bit more and then to integrate an EAP
step into my workflow.

Thanks and warm regards,

John Glotzer

> Message: 3
> Date: Sat, 27 May 2017 19:03:07 +0200
> From: Jaap Keuter <jaap.keuter at>
> To: John Glotzer <jglotzer at>, hostap at
> Subject: Re: Question on wpa_supplicant setup for MKA
> Message-ID: <edfdc179-76ea-68f2-57eb-a7d402b939c0 at>
> Content-Type: text/plain; charset=windows-1252
> Hi John,
> See my comments inline.
> On 26-05-17 08:12, John Glotzer wrote:
> > Hi Jaap and Sabrina,
> >
> > I am trying to replicate what Jaap has described, which is to say to
> > use wpa_supplicant to drive the MKA between two MACSEC capable hosts.
> >
> > I have set up statically configured MACSEC between two virtual
> > instances using Fedora26-Alpha which has the 4.11 kernel MACSEC
> > implementation and this all works as expected.
> >
> > I don't think that the binary in the Fedora26 is sufficiently new
> > enough to support all that is needed (for example it rejects the
> > config line eapol_version=3) but in any case I want to build my own.
> The required additions were included after hostap/wpa_supplicant 2.6 was
> released, so you'll need bleeding edge (aka. git HEAD) software build and
> running on your setup.
> > When I look at the source HEAD for hostap/wpa_supplicant I see that
> > while there are a lot of #ifdef checks for CONFIG_MACSEC in the source
> > I don't see an option in the defconfig file for turning on
> > CONFIG_MACSEC. Is this omission significant or do I just add the
> > CONFIG line anyway?
> >
> > Also (and most importantly) what are the other CONFIG lines that I
> > should specify during the build?
> I've been sitting on a patch exactly with the purpose of documenting these (I
> was holding back for Jouni to consider my previous pending patch first), but now
> you've forced my hand. See "[PATCH] Add config information related to MACsec"
> for the information you seek.
> > Also is there a way to get the netlink support needed to send the
> > derived keys to the kernel after MKA completes? That is to say can the
> > entire end to end workflow be made to succeed up to and including
> > sending the derived keys to the kernel?
> Also here you have to have a fairly recent libnl installed, or build. I've been
> working with libnl 3.2.29, which was not yet packaged, so I did that myself and
> installed that for testing.
> >
> > Thanks very much for any help you guys can offer, and thanks so much
> > for all of the excellent work in this area.
> >
> > John Glotzer
> >
> Thanks,
> Jaap

More information about the Hostap mailing list