Key server election on peer-to-peer MACsec with MKA
msiedzik at extremenetworks.com
Wed Sep 9 08:56:58 EDT 2020
By adding a third peer you are switching from a peer-to-peer CA to a Group CA (see IEEE802.1X-2010, Clause 5.11.2 Key Server support for Group CAs). You might be the first person trying to enable Group CAs, in which case the hostap code might be incomplete and/or untested for this feature. The first thing that you might want to check is that each peer in your system is using a different MAC address. Next, walk through the source code, src/pae/ieee802_1x_kay.c, to see if it conforms to the Group CA rules set forth in IEEE802.1X-2010 (i.e., Clause 9.17.2 Another participant joins).
BTW, I'm just a user of hostap, not an owner/developer. I think in most real world situations MACsec/MKA is deployed on point-to-point LANs so peer-to-peer CAs are sufficient.
- Mike Siedzik
More information about the Hostap