Hi Edmond, By adding a third peer you are switching from a peer-to-peer CA to a Group CA (see IEEE802.1X-2010, Clause 5.11.2 Key Server support for Group CAs). You might be the first person trying to enable Group CAs, in which case the hostap code might be incomplete and/or untested for this feature. The first thing that you might want to check is that each peer in your system is using a different MAC address. Next, walk through the source code, src/pae/ieee802_1x_kay.c, to see if it conforms to the Group CA rules set forth in IEEE802.1X-2010 (i.e., Clause 9.17.2 Another participant joins). BTW, I'm just a user of hostap, not an owner/developer. I think in most real world situations MACsec/MKA is deployed on point-to-point LANs so peer-to-peer CAs are sufficient. Sincerely, - Mike Siedzik _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
