Hi Jaap, Thanks so much for the helpful and quick reply and most especially for the patch. Few things - after writing my email I got things working which I was very happy about. For wpa_supplicant build config I went to http://pkgs.fedoraproject.org/cgit/rpms/wpa_supplicant.git/tree/build-config took that and just commented out the DBUS stuff - and yes I was building from HEAD. For libnl the binary in Fedora26 I notice was 3.3.3 so I think I got lucky there. For runtime config and command line arguments I just cobbled together these from what you and Sabrina used. The thing is - it all "just worked" - great news. My next steps will be to ingest your patch and then to try to understand the inner workings a bit more and then to integrate an EAP step into my workflow. Thanks and warm regards, John Glotzer > > > > Message: 3 > Date: Sat, 27 May 2017 19:03:07 +0200 > From: Jaap Keuter <jaap.keuter@xxxxxxxxx> > To: John Glotzer <jglotzer@xxxxxxxxx>, hostap@xxxxxxxxxxxxxxxxxxx > Subject: Re: Question on wpa_supplicant setup for MKA > Message-ID: <edfdc179-76ea-68f2-57eb-a7d402b939c0@xxxxxxxxx> > Content-Type: text/plain; charset=windows-1252 > > Hi John, > > See my comments inline. > > > On 26-05-17 08:12, John Glotzer wrote: > > Hi Jaap and Sabrina, > > > > I am trying to replicate what Jaap has described, which is to say to > > use wpa_supplicant to drive the MKA between two MACSEC capable hosts. > > > > I have set up statically configured MACSEC between two virtual > > instances using Fedora26-Alpha which has the 4.11 kernel MACSEC > > implementation and this all works as expected. > > > > I don't think that the binary in the Fedora26 is sufficiently new > > enough to support all that is needed (for example it rejects the > > config line eapol_version=3) but in any case I want to build my own. > > The required additions were included after hostap/wpa_supplicant 2.6 was > released, so you'll need bleeding edge (aka. git HEAD) software build and > running on your setup. > > > > When I look at the source HEAD for hostap/wpa_supplicant I see that > > while there are a lot of #ifdef checks for CONFIG_MACSEC in the source > > I don't see an option in the defconfig file for turning on > > CONFIG_MACSEC. Is this omission significant or do I just add the > > CONFIG line anyway? > > > > Also (and most importantly) what are the other CONFIG lines that I > > should specify during the build? > > I've been sitting on a patch exactly with the purpose of documenting these (I > was holding back for Jouni to consider my previous pending patch first), but now > you've forced my hand. See "[PATCH] Add config information related to MACsec" > for the information you seek. > > > > Also is there a way to get the netlink support needed to send the > > derived keys to the kernel after MKA completes? That is to say can the > > entire end to end workflow be made to succeed up to and including > > sending the derived keys to the kernel? > > Also here you have to have a fairly recent libnl installed, or build. I've been > working with libnl 3.2.29, which was not yet packaged, so I did that myself and > installed that for testing. > > > > > > Thanks very much for any help you guys can offer, and thanks so much > > for all of the excellent work in this area. > > > > John Glotzer > > > > Thanks, > Jaap > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
