1 files changed, 87 insertions, 0 deletions
diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2
new file mode 100644
index 000000000..0ac7cb860
--- /dev/null
+++ b/data/templates/macsec/wpa_supplicant.conf.j2
@@ -0,0 +1,87 @@
+### Autogenerated by interfaces-macsec.py ###
+
+# see full documentation:
+# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
+
+# For UNIX domain sockets (default on Linux and BSD): This is a directory that
+# will be created for UNIX domain sockets for listening to requests from
+# external programs (CLI/GUI, etc.) for status information and configuration.
+# The socket file will be named based on the interface name, so multiple
+# wpa_supplicant processes can be run at the same time if more than one
+# interface is used.
+# /var/run/wpa_supplicant is the recommended directory for sockets and by
+# default, wpa_cli will use it when trying to connect with wpa_supplicant.
+ctrl_interface=/run/wpa_supplicant
+
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
+eapol_version=3
+
+# No need to scan for access points in MACsec mode
+ap_scan=0
+
+# EAP fast re-authentication
+fast_reauth=1
+
+network={
+    key_mgmt=NONE
+
+    # Note: When using wired authentication (including MACsec drivers),
+    # eapol_flags must be set to 0 for the authentication to be completed
+    # successfully.
+    eapol_flags=0
+
+    # macsec_policy: IEEE 802.1X/MACsec options
+    # This determines how sessions are secured with MACsec (only for MACsec
+    # drivers).
+    # 0: MACsec not in use (default)
+    # 1: MACsec enabled - Should secure, accept key server's advice to
+    #    determine whether to use a secure session or not.
+    macsec_policy=1
+
+    # macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+    # This setting applies only when MACsec is in use, i.e.,
+    #  - macsec_policy is enabled
+    #  - the key server has decided to enable MACsec
+    # 0: Encrypt traffic (default)
+    # 1: Integrity only
+    macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }}
+
+{% if security.encrypt is vyos_defined %}
+    # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
+    # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
+    # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
+    # with lower priority will become the key server and start distributing SAKs.
+    # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
+    # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
+    # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
+    # (2..64 hex-digits)
+    mka_cak={{ security.mka.cak }}
+    mka_ckn={{ security.mka.ckn }}
+
+    # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
+    # default priority
+    mka_priority={{ security.mka.priority }}
+{% endif %}
+
+{% if security.replay_window is vyos_defined %}
+    # macsec_replay_protect: IEEE 802.1X/MACsec replay protection
+    # This setting applies only when MACsec is in use, i.e.,
+    #  - macsec_policy is enabled
+    #  - the key server has decided to enable MACsec
+    # 0: Replay protection disabled (default)
+    # 1: Replay protection enabled
+    macsec_replay_protect=1
+
+    # macsec_replay_window: IEEE 802.1X/MACsec replay protection window
+    # This determines a window in which replay is tolerated, to allow receipt
+    # of frames that have been misordered by the network.
+    # This setting applies only when MACsec replay protection active, i.e.,
+    #  - macsec_replay_protect is enabled
+    #  - the key server has decided to enable MACsec
+    # 0: No replay window, strict check (default)
+    # 1..2^32-1: number of packets that could be misordered
+    macsec_replay_window={{ security.replay_window }}
+{% endif %}
+}
+