5.3. Using MACsec with wpa_supplicant and NetworkManager
Media Access Control Security
(MACsec
, IEEE 802.1AE) encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. MACsec
can protect not only IP
but also Address Resolution Protocol (ARP), Neighbor Discovery (ND), or DHCP
. While IPsec
operates on the network layer (layer 3) and SSL
or TLS
on the application layer (layer 7), MACsec
operates in the data link layer (layer 2). Combine MACsec
with security protocols for other networking layers to take advantage of different security features that these standards provide.
To enable
MACsec
with a switch that performs authentication using a pre-shared Connectivity Association Key/CAK Name (CAK/CKN) pair:
Procedure
- Create a CAK/CKN pair. For example, the following command generates a 16-byte key in hexadecimal notation:
~]$
dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"'
- Create the
wpa_supplicant.conf
configuration file and add the following lines to it:ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0 fast_reauth=1 network={ key_mgmt=NONE eapol_flags=0 macsec_policy=1 mka_cak=0011... # 16 bytes hexadecimal mka_ckn=2233... # 32 bytes hexadecimal }
Use the values from the previous step to complete themka_cak
andmka_ckn
lines in thewpa_supplicant.conf
configuration file.See thewpa_supplicant.conf(5)
man page for more information. - Assuming you are using wlp61s0 to connect to your network, start wpa_supplicant using the following command:
~]#
wpa_supplicant -i wlp61s0 -Dmacsec_linux -c wpa_supplicant.conf
Instead of creating and editing the
wpa_supplicant.conf
file, Red Hat recommends using the nmcli
command to configure wpa_supplicant equivalently as in the previous steps. The following example assumes that you already have a 16-byte hexadecimal CAK ($MKA_CAK
) and a 32-byte hexadecimal CKN ($MKA_CKN
):
~]# nmcli connection add type macsec \ con-name test-macsec+ ifname macsec0 \ connection.autoconnect no \ macsec.parent wlp61s0 macsec.mode psk \ macsec.mka-cak $MKA_CAK \ macsec.mka-cak-flags 0 \ macsec.mka-ckn $MKA_CKN ~]# nmcli connection up test-macsec+
After this step, the macsec0 device should be configured and used for networking.
For more details, see the What’s new in MACsec: setting up MACsec using wpa_supplicant and (optionally) NetworkManager article. In addition, see the MACsec: a different solution to encrypt network traffic article for more information about the architecture of a
MACsec
network, use case scenarios, and configuration examples.