Key server election on peer-to-peer MACsec with MKA

Michael Siedzik msiedzik at
Wed Sep 9 08:56:58 EDT 2020

Hi Edmond,

By adding a third peer you are switching from a peer-to-peer CA to a Group CA (see IEEE802.1X-2010, Clause 5.11.2 Key Server support for Group CAs).  You might be the first person trying to enable Group CAs, in which case the hostap code might be incomplete and/or untested for this feature.  The first thing that you might want to check is that each peer in your system is using a different MAC address.  Next, walk through the source code, src/pae/ieee802_1x_kay.c, to see if it conforms to the Group CA rules set forth in IEEE802.1X-2010 (i.e., Clause 9.17.2 Another participant joins).

BTW, I'm just a user of hostap, not an owner/developer.  I think in most real world situations MACsec/MKA is deployed on point-to-point LANs so peer-to-peer CAs are sufficient.

- Mike Siedzik

More information about the Hostap mailing list