### Autogenerated by interfaces-macsec.py ### # see full documentation: # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf # For UNIX domain sockets (default on Linux and BSD): This is a directory that # will be created for UNIX domain sockets for listening to requests from # external programs (CLI/GUI, etc.) for status information and configuration. # The socket file will be named based on the interface name, so multiple # wpa_supplicant processes can be run at the same time if more than one # interface is used. # /var/run/wpa_supplicant is the recommended directory for sockets and by # default, wpa_cli will use it when trying to connect with wpa_supplicant. ctrl_interface=/run/wpa_supplicant # Note: When using MACsec, eapol_version shall be set to 3, which is # defined in IEEE Std 802.1X-2010. eapol_version=3 # No need to scan for access points in MACsec mode ap_scan=0 # EAP fast re-authentication fast_reauth=1 network={ key_mgmt=NONE # Note: When using wired authentication (including MACsec drivers), # eapol_flags must be set to 0 for the authentication to be completed # successfully. eapol_flags=0 # macsec_policy: IEEE 802.1X/MACsec options # This determines how sessions are secured with MACsec (only for MACsec # drivers). # 0: MACsec not in use (default) # 1: MACsec enabled - Should secure, accept key server's advice to # determine whether to use a secure session or not. macsec_policy=1 # macsec_integ_only: IEEE 802.1X/MACsec transmit mode # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled # - the key server has decided to enable MACsec # 0: Encrypt traffic (default) # 1: Integrity only macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }} # macsec_csindex: IEEE 802.1X/MACsec cipher suite # 0 = GCM-AES-128 # 1 = GCM-AES-256 {# security.cipher is a mandatory key #} macsec_csindex={{ '1' if security.cipher is defined and security.cipher == 'gcm-aes-256' else '0' }} {% if security is defined %} {% if security.encrypt is defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer # with lower priority will become the key server and start distributing SAKs. # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string # (2..64 hex-digits) mka_cak={{ security.mka.cak }} mka_ckn={{ security.mka.ckn }} # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority mka_priority={{ security.mka.priority }} # macsec_csindex: IEEE 802.1X/MACsec cipher suite # 0 = GCM-AES-128 # 1 = GCM-AES-256 {# security.cipher is a mandatory key #} macsec_csindex={{ '1' if security.cipher is vyos_defined('gcm-aes-256') else '0' }} {% endif %} {% if security.replay_window is defined %} # macsec_replay_protect: IEEE 802.1X/MACsec replay protection # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled # - the key server has decided to enable MACsec # 0: Replay protection disabled (default) # 1: Replay protection enabled macsec_replay_protect=1 # macsec_replay_window: IEEE 802.1X/MACsec replay protection window # This determines a window in which replay is tolerated, to allow receipt # of frames that have been misordered by the network. # This setting applies only when MACsec replay protection active, i.e., # - macsec_replay_protect is enabled # - the key server has decided to enable MACsec # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered macsec_replay_window={{ security.replay_window }} {% endif %} {% endif %} # macsec_port: IEEE 802.1X/MACsec port - Port component of the SCI # Range: 1-65534 (default: 1) macsec_port=1 }