diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-21 16:09:17 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-21 16:09:17 +0200 |
commit | ab29e70bdd5b5a70e8e8822d521130a63055ada8 (patch) | |
tree | 8f73508e231f9de949eeec6a4b7efa1a25759bda /data/templates/macsec | |
parent | ad44a7301c038e0a300a20fc26952e86b3b92d83 (diff) | |
parent | 5df7e8f35234497c03d504ea838dbd7044c49bb3 (diff) | |
download | vyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.tar.gz vyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.zip |
Merge branch 'macsec-t2023' of github.com:c-po/vyos-1x into current
* 'macsec-t2023' of github.com:c-po/vyos-1x:
macsec: T2023: cleanup wpa_supplicant config file name
macsec: T2023: improve verify() when encryption is enabled
macsec: T2023: support MACsec Key Agreement protocol actor priority
macsec: T2023: rename "security key" node to "security mka"
macsec: T2023: use wpa_supplicant for key management
macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node
macsec: T2023: extend key generator for CAK and CKN in operation mode
macsec: T2023: remove gcm-aes-256 cipher type
macsec: T2023: cipher suite is mandatory
macsec: T2023: use list when working with Config()
macsec: T2023: add 'show interfaces macsec' op-mode tree
macsec: T2023: add optional encryption command
macsec: T2023: generate secure channel keys in operation mode
macsec: T2023: add initial XML and Python interfaces
ifconfig: T2023: add initial MACsec abstraction
interface: T2023: adopt _delete() to common style
interface: T2023: remove superfluous at end of list
macvlan: T2023: prepare common source interface include file
Diffstat (limited to 'data/templates/macsec')
-rw-r--r-- | data/templates/macsec/wpa_supplicant.conf.tmpl | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl new file mode 100644 index 000000000..eee215418 --- /dev/null +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -0,0 +1,65 @@ +# autogenerated by interfaces-macsec.py + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=3 + +# No need to scan for access points in MACsec mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ + key_mgmt=NONE + + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # macsec_policy: IEEE 802.1X/MACsec options + # This determines how sessions are secured with MACsec (only for MACsec + # drivers). + # 0: MACsec not in use (default) + # 1: MACsec enabled - Should secure, accept key server's advice to + # determine whether to use a secure session or not. + macsec_policy=1 + + # macsec_integ_only: IEEE 802.1X/MACsec transmit mode + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Encrypt traffic (default) + # 1: Integrity only + macsec_integ_only={{ '0' if security_encrypt else '1' }} + + # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode + # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. + # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer + # with lower priority will become the key server and start distributing SAKs. + # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) + # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) + # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string + # (2..64 hex-digits) + mka_cak={{ security_mka_cak }} + mka_ckn={{ security_mka_ckn }} + + # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being + # default priority + mka_priority={{ security_mka_priority }} +} + |