I'm trying to setup MKA between some clients (using wpa_supplicant) and an authenticator (using hostapd).
Additionally I have a RADIUS server(using FreeRADIUS) that is going to be handling the authentication side of things.
So:
RADIUS server has FreeRADIUS configured for EAP-TLS
Authenticator has hostapd configured with the RADIUS server as auth server
Clients have their client certs & wpasupplicant configured for EAP-TLS
Like this, everything works just fine, and I get the EAP-SUCCESS messages from all sides -
Auth Server:
(393) Sent Access-Accept Id 37 from 10.0.0.254:1812 to 10.0.0.250:42690 length 252
Authenticator:
EAP: EAP entering state SUCCESS2
br0: CTRL-EVENT-EAP-SUCCESS2 8e:43:b5:ca:b6:f2
IEEE 802.1X: 8e:43:b5:ca:b6:f2 BE_AUTH entering state SUCCESS
br0: STA 8e:43:b5:ca:b6:f2 IEEE 802.1X: Sending EAP Packet (identifier 236)
IEEE 802.1X: 8e:43:b5:ca:b6:f2 AUTH_PAE entering state AUTHENTICATED
br0: AP-STA-CONNECTED 8e:43:b5:ca:b6:f2
br0: STA 8e:43:b5:ca:b6:f2 IEEE 802.1X: authorizing port
br0: STA 8e:43:b5:ca:b6:f2 RADIUS: starting accounting session 1F1E651F858DB876
br0: RADIUS Sending RADIUS message to accounting server
br0: RADIUS Next RADIUS client retransmit in 3 seconds
client:
eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
As far as I understand it, this is the prerequisite for MKA, where a keyserver generates the keys and sends them to the authenticator to establish the MACSEC connection, which is what I want to happen next.
So in the FreeRADIUS directory on the server I edit the sites-available/default file and uncomment this section:
# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
if (&reply:EAP-Session-Id) {
update reply {
EAP-Key-Name := &reply:EAP-Session-Id
}
}
After which I see the key material being successfully received by hostapd on the authenticator:
MS-MPPE-Send-Key - hexdump(len=32): [REMOVED]
MS-MPPE-Recv-Key - hexdump(len=32): [REMOVED]
EAP-Key Name - hexdump(len=65): 0d 4b f6 4e 19 d1 af 12 86 6a ff 30 a4 48 44 f4 4c c3 51 a8 bf d4 2c ce f5 d7 2b d4 b9 d1 4d 32 bc d6 50 82 bc 19 70 4b 39 11 96 f6 d1 fb 53 ec 16 a6 2d 89 39 8b c3 78 a2 e4 31 f4 39 95 d7 d3 bf
However there didn't seem to be anything else happening after this point. I thought I had to change the config files to enforce MACSEC, so on the Client I edited the wpa_supplicant.conf file to add macsec_policy=1 in the network configuration, but alone doesn't seem to trigger anything, so I thought maybe I need to configure hostapd too.
However when I add macsec_policy=1 to hostapd.conf on the Authenticator, hostapd doesn't recognize the option:
Line 39: unknown configuration item 'macsec_policy'
1 errors found in configuration file '/etc/hostapd/hostapd.conf'
Failed to set up interface with /etc/hostapd/hostapd.conf
hostapd_init: free iface 0x55a72992bbf0
Failed to initialize interface
What do I need to do to enforce that a macsec channel be created between the authenticator and clients?
I feel like I'm close since the key material is being received by hostapd, but not sure how to complete the configuration. I found this old question here that shows a sample wpa_supplicant.conf file, which looks more or less like what I have, but he doesn't mention what he has configured at the authenticator side.
