# autogenerated by interfaces-macsec.py

# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

# For UNIX domain sockets (default on Linux and BSD): This is a directory that
# will be created for UNIX domain sockets for listening to requests from
# external programs (CLI/GUI, etc.) for status information and configuration.
# The socket file will be named based on the interface name, so multiple
# wpa_supplicant processes can be run at the same time if more than one
# interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/run/wpa_supplicant

# Note: When using MACsec, eapol_version shall be set to 3, which is
# defined in IEEE Std 802.1X-2010.
eapol_version=3

# No need to scan for access points in MACsec mode
ap_scan=0

# EAP fast re-authentication
fast_reauth=1

network={
    key_mgmt=NONE

    # Note: When using wired authentication (including MACsec drivers),
    # eapol_flags must be set to 0 for the authentication to be completed
    # successfully.
    eapol_flags=0

    # macsec_policy: IEEE 802.1X/MACsec options
    # This determines how sessions are secured with MACsec (only for MACsec
    # drivers).
    # 0: MACsec not in use (default)
    # 1: MACsec enabled - Should secure, accept key server's advice to
    #    determine whether to use a secure session or not.
    macsec_policy=1

    # macsec_integ_only: IEEE 802.1X/MACsec transmit mode
    # This setting applies only when MACsec is in use, i.e.,
    #  - macsec_policy is enabled
    #  - the key server has decided to enable MACsec
    # 0: Encrypt traffic (default)
    # 1: Integrity only
    macsec_integ_only={{ '0' if security_encrypt else '1' }}

    mka_cak={{ security_key_cak }}
    mka_ckn={{ security_key_ckn }}
}