When using hostapd and wpa_supplicant to configure MACsec with 802.1X authentication... The current implementation restricts usage to LAN segments which don't cross switches (except for managed switches which allow the user to disable 802.1D compliance and forwarding frames which should otherwise be filtered e.g. Cisco "eapol-relay", and Linux's "group_fwd_mask" etc.). The code currently hard-codes the "PAE Group Address" (01:80:c2:00:00:03) when creating EAPOL packets. It also filters received MKPDU packets which don't have their destination address set to 01:80:c2:00:00:03. The receive filtering doesn't appear to conform with 802.1X-2010 or 802.1X-2020 which both state that these packets shouldn't have a unicast destination address, but don't place any other restrictions on the destination address. The attached patch improves standards compliance by dropping the receive packet filter restriction, allowing negotiation to succeed in some circumstances when it otherwise would fail. Time permitting, I'll follow-up with patches to allow hostapd and wpa_supplicant users to specify alternative destination MAC addresses as per 802.1X-2020, 802.1AE-2018 (other devices already allow this e.g. Cisco "eapol destination-address", Juniper "eapol-address" and HP Procurve "eapol-destination-mac"). Tim Small (1): Improve MKPDU 802.1X conformance, don't require pae group dest address src/pae/ieee802_1x_kay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.39.5 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
