summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-21 13:55:32 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 14:52:10 +0200
commit3872f5995644a8a52358285d682a7103b54dde04 (patch)
tree3d4edb713d215c9b1fd4ee9f90288ad8751246b7 /data
parent63a3110298e5f3f6d24d5ed57eff0a8abf27f6ac (diff)
downloadvyos-1x-3872f5995644a8a52358285d682a7103b54dde04.tar.gz
vyos-1x-3872f5995644a8a52358285d682a7103b54dde04.zip
macsec: T2023: use wpa_supplicant for key management
Diffstat (limited to 'data')
-rw-r--r--data/templates/macsec/wpa_supplicant.conf.tmpl53
1 files changed, 53 insertions, 0 deletions
diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl
new file mode 100644
index 000000000..b73d4b863
--- /dev/null
+++ b/data/templates/macsec/wpa_supplicant.conf.tmpl
@@ -0,0 +1,53 @@
+# autogenerated by interfaces-macsec.py
+
+# see full documentation:
+# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
+
+# For UNIX domain sockets (default on Linux and BSD): This is a directory that
+# will be created for UNIX domain sockets for listening to requests from
+# external programs (CLI/GUI, etc.) for status information and configuration.
+# The socket file will be named based on the interface name, so multiple
+# wpa_supplicant processes can be run at the same time if more than one
+# interface is used.
+# /var/run/wpa_supplicant is the recommended directory for sockets and by
+# default, wpa_cli will use it when trying to connect with wpa_supplicant.
+ctrl_interface=/run/wpa_supplicant
+
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
+eapol_version=3
+
+# No need to scan for access points in MACsec mode
+ap_scan=0
+
+# EAP fast re-authentication
+fast_reauth=1
+
+network={
+ key_mgmt=NONE
+
+ # Note: When using wired authentication (including MACsec drivers),
+ # eapol_flags must be set to 0 for the authentication to be completed
+ # successfully.
+ eapol_flags=0
+
+ # macsec_policy: IEEE 802.1X/MACsec options
+ # This determines how sessions are secured with MACsec (only for MACsec
+ # drivers).
+ # 0: MACsec not in use (default)
+ # 1: MACsec enabled - Should secure, accept key server's advice to
+ # determine whether to use a secure session or not.
+ macsec_policy=1
+
+ # macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+ # This setting applies only when MACsec is in use, i.e.,
+ # - macsec_policy is enabled
+ # - the key server has decided to enable MACsec
+ # 0: Encrypt traffic (default)
+ # 1: Integrity only
+ macsec_integ_only={{ '0' if security_encrypt else '1' }}
+
+ mka_cak={{ security_key_cak }}
+ mka_ckn={{ security_key_ckn }}
+}
+