使用 wpa_supplicant 的 macsec 接口(802.1X-2010)

tag-icon tag-icon linux macsec
使用 wpa_supplicant 的 macsec 接口(802.1X-2010)

我已经为 macsec 创建了一个 wpa_supplicant.conf 文件。我想使用 Macsec 密钥协议来建立会话密钥并创建安全通道。

我有以下 wpa_supplicant.conf 文件。

[root@localhost ~]# cat wpa_eap-tls_MACsec.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=3
  network={
  eap=TLS
  eapol_flags=0
  key_mgmt=IEEE8021X
  identity="laptop"
  password="password"
  ca_cert="/root/ca.pem"
  client_cert="/root/laptop.pem"
  private_key="/root/laptop.key"
  private_key_passwd="password"
  macsec_policy=1
}
[root@localhost ~]#

我运行 wpa_supplicant 程序

[root@localhost ~]#  wpa_supplicant -i eno1 -D macsec_linux -c /root/wpa_eap-tls_MACsec.conf -d

EAP-TLS 身份验证成功。我可以在输出中看到已同意的密钥,并且创建了 macsec0 接口。但是“ip macsec show”没有显示 macsec0 接口。

KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): b0 5c 16 7f 29 f8 7a 8a 42 68 c4 87 52 c1 11 00
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 8d 1f 1a 65 45 05 b0 bc 82 cf e7 13 5e 14 96 e4
KaY: Participant timer (ifname=eno1)
KaY: Encode and send an MKPDU (ifname=eno1)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=78:2b:cb:a1:04:3a Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 255
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 78:2b:cb:a1:04:3a@1
    Actor's Member Identifier: bc27e27b98f22dceb3a87ea5
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): a2 fe 8a e3 ad 9e 0e b4 83 17 35 80 84 06 8f db
KaY: ICV - hexdump(len=16): 03 ff f3 87 ee 26 d7 ba c0 19 27 97 18 68 98 5d
KaY: Participant timer (ifname=eno1)
KaY: participant removed
KaY: Delete transmit SC
macsec_linux: macsec0: delete_transmit_sc -> 78:2b:cb:a1:04:3a::1
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: idleWhile --> 0
EAPOL: disable timer tick

ip-macsec(8)建议使用 wpa_supplicant 进行密钥管理。如何在 macsec 接口上使用从 wpa_supplicant 协商的密钥?

在此先感谢您的帮助

相关内容