'Hostapd fails to create MACsec interface after successful authentication
I am trying to set up a remote connection for MACsec utilizing hostapd (v2.11-devel). I have compiled the software with:
CONFIG_DRIVER_WIRED=y
CONFIG_MACSEC=y
CONFIG_DRIVER_MACSEC_LINUX=y
to get the MACsec driver.
this is my hostapd.conf file:
########## hostapd example configuration for MACsec ##########
logger_stdout=-1
logger_stdout_level=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
eapol_version=3
# Interface where hostapd has to listen
interface=enp88s0
# hostapd driver (in this case, the MACsec one is chosen)
driver=macsec_linux
# Enable 802.1X authentication
ieee8021x=1
# Reauthentication timer
eap_reauth_period=3600
# hostapd has not to be used as EAP server -> RADIUS will be the one
eap_server=0
# Use PAE group address (i.e. multicast MAC address)
use_pae_group_addr=1
macsec_policy=1
macsec_integ_only=1
macsec_replay_protect=1
########## RADIUS server configuration ##########
#IP address of the access point (i.e. the IP address used by hostapd to reach
#the RADIUS server
own_ip_addr=127.0.0.1
radius_client_addr=127.0.0.1
# RADIUS authentication server
auth_server_addr=127.0.0.1
auth_server_port=1812 # 1812 is the defalut
auth_server_shared_secret=testing123
# RADIUS accounting server
acct_server_addr=127.0.0.1
acct_server_port=1813 # 1813 is the default
acct_server_shared_secret=testing123
this is my wpa_supplicant.conf file:
# Since it is a wired connection, wpa_supplicant has not to
# scan for an access point
ap_scan=0
# Disable EAP fast reauthentication
fast_reauth=0
# MACsec Key Agreement (MKA) is defined in EAPOL version 3
eapol_version=3
network={
# key management type - MUST be IEEE8021X because
# MACsec Key Agreement (MKA) is an extention of
# IEEE 802.1X standard
key_mgmt=IEEE8021X
eapol_flags=0
identity="test"
# EAP type - MUST be TLS for MACsec
eap=TLS
# CA certificate file
ca_cert="/etc/wpa_supplicant/ca.pem"
# client certificate file
client_cert="/etc/wpa_supplicant/[email protected]"
# private key file
private_key="/etc/wpa_supplicant/[email protected]"
# password used to cipher the private key
private_key_passwd="testing123"
# enables MACsec protection
macsec_policy=1
}
I use a FreeRadius server as the authentication server, with the default settings and running on the same device as hostapd.
The authentication works as expected and I get an Accept-Accept response on both the Authentication and Accounting. However, it fails to create the actual MACsec interface. This is some of the logs for hostapd:
.
.
.
from RADIUS server: EAP Success
EAP: EAP entering state SUCCESS2
enp88s0: CTRL-EVENT-EAP-SUCCESS2 1c:69:7a:ac:9a:41
IEEE 802.1X: 1c:69:7a:ac:9a:41 BE_AUTH entering state SUCCESS
enp88s0: STA 1c:69:7a:ac:9a:41 IEEE 802.1X: Sending EAP Packet (identifier 101)
IEEE 802.1X: 1c:69:7a:ac:9a:41 AUTH_PAE entering state AUTHENTICATED
enp88s0: AP-STA-CONNECTED 1c:69:7a:ac:9a:41
enp88s0: STA 1c:69:7a:ac:9a:41 IEEE 802.1X: authorizing port
enp88s0: STA 1c:69:7a:ac:9a:41 RADIUS: starting accounting session AA08DD8D818689CD
enp88s0: RADIUS Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=8 length=148
Attribute 40 (Acct-Status-Type) length=6
Value: 1
Attribute 45 (Acct-Authentic) length=6
Value: 1
Attribute 1 (User-Name) length=6
Value: 'test'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 30 (Called-Station-Id) length=20
Value: '1C-69-7A-AC-76-13:'
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 31 (Calling-Station-Id) length=19
Value: '1C-69-7A-AC-9A-41'
Attribute 77 (Connect-Info) length=23
Value: 'CONNECT 0Mbps 802.11b'
Attribute 44 (Acct-Session-Id) length=18
Value: 'AA08DD8D818689CD'
Attribute 55 (Event-Timestamp) length=6
Value: 1652389718
Attribute 41 (Acct-Delay-Time) length=6
Value: 0
enp88s0: RADIUS Next RADIUS client retransmit in 3 seconds
enp88s0: STA 1c:69:7a:ac:9a:41 IEEE 802.1X: authenticated - EAP type: 13 (TLS)
IEEE 802.1X: External notification - Create MKA for 1c:69:7a:ac:9a:41
MACsec: Successfully fetched key (len=64)
MSK: - hexdump(len=64): [REMOVED]
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id
IEEE 802.1X: 1c:69:7a:ac:9a:41 BE_AUTH entering state IDLE
enp88s0: RADIUS Received 20 bytes from RADIUS server
enp88s0: RADIUS Received RADIUS message
RADIUS message: code=5 (Accounting-Response) identifier=8 length=20
enp88s0: STA 1c:69:7a:ac:9a:41 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Received EAPOL packet
enp88s0: Event NEW_STA (22) received
enp88s0: Event EAPOL_RX (23) received
IEEE 802.1X: 68 bytes from 1c:69:7a:ac:9a:41 (encrypted=-1)
IEEE 802.1X: version=3 type=5 length=64
l2_packet_receive: src=1c:69:7a:ac:9a:41 len=82
KaY: RX EAPOL-MKA - hexdump(len=82): 01 80 c2 00 00 03 1c 69 7a ac 9a 41 88 8e 03 05 00 40 01 ff 60 2c 1c 69 7a ac 9a 41 00 01 c5 de e4 16 e5 1e 03 fa bc 23 ba aa 00 00 00 01 00 80 c2 01 06 9a 34 53 72 29 85 4c b8 f2 23 a2 c5 19 b9 71 a9 af f6 80 5e 63 0c d4 64 1b 6a e4 2d 73 d3 a4
KaY: No MKA participant instance - ignore EAPOL-MKA
Received EAPOL packet
enp88s0: Event NEW_STA (22) received
enp88s0: Event EAPOL_RX (23) received
IEEE 802.1X: 68 bytes from 1c:69:7a:ac:9a:41 (encrypted=-1)
IEEE 802.1X: version=3 type=5 length=64
l2_packet_receive: src=1c:69:7a:ac:9a:41 len=82
KaY: RX EAPOL-MKA - hexdump(len=82): 01 80 c2 00 00 03 1c 69 7a ac 9a 41 88 8e 03 05 00 40 01 ff 60 2c 1c 69 7a ac 9a 41 00 01 c5 de e4 16 e5 1e 03 fa bc 23 ba aa 00 00 00 02 00 80 c2 01 06 9a 34 53 72 29 85 4c b8 f2 23 a2 c5 19 b9 71 c7 9c 10 d4 1b 6a 9b 04 85 98 6f e8 45 c1 22 7c
KaY: No MKA participant instance - ignore EAPOL-MKA
IEEE 802.1X: 1c:69:7a:ac:9a:41 - (EAP) retransWhile --> 0
My guess is that this is the problem:
MACsec: Successfully fetched key (len=64)
MSK: - hexdump(len=64): [REMOVED]
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id
IEEE 802.1X: 1c:69:7a:ac:9a:41 BE_AUTH entering state IDLE
but I'm not sure how to solve it. Any help would be much appreciated.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|