I am a novice in macsec, and appreciate any help in understanding why macsec via wpa_supplicant on Ubuntu does not work with the Ruckus ICX7850-48FS switch.
This switch does have macsec option enabled and configured with pre-shared CAK and CKN However, I cannot ping any device on my network when macsec is set in ICX and wpa_supplicant is running on Ubuntu. Do I miss something in configuration?
Thank you
Here is what ip command shows:
$ ip -s macsec show 17: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 00e102005f280001 on SA 0 stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun 0 0 0 107 0 0 2832 0 stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted 0 11 0 1218 0: PN 12, state on, key af90ad063d4a31db48edac0d01000000 stats: OutPktsProtected OutPktsEncrypted 0 11 RXSC: 38453b3aa3730003, state on stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0 0 0 0 0 0 0: PN 1, state on, key af90ad063d4a31db48edac0d01000000 stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0
wpa_supplicant.config:
ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0 #orig fast_reauth=1 fast_reauth=0 network={ key_mgmt=NONE #key_mgmt=IEEE8021X eapol_flags=0 macsec_policy=1 mka_cak=135bd758b0ee5c11c55ff6ab19fdb199 mka_ckn=96437a93ccf10d9dfe347846cce52c7d mka_priority=100 }
I run wpa_supplicant in debug mode:
wpa_supplicant -dd -K -i eth0 -Dmacsec_linux -c wpa_supplicant_ubuntu.conf
Wpa_cli status:
> status bssid=01:80:c2:00:00:03 freq=0 ssid= id=0 mode=station pairwise_cipher=NONE group_cipher=NONE key_mgmt=NONE wpa_state=COMPLETED ip_address=10.100.97.158 address=00:e1:02:00:5f:28 PAE KaY status=Active Authenticated=No Secured=Yes Failed=No Actor Priority=100 Key Server Priority=16 Is Key Server=No Number of Keys Distributed=0 Number of Keys Received=1 MKA Hello Time=2000 actor_sci=00:e1:02:00:5f:28@1 key_server_sci=38:45:3b:3a:a3:73@3 participant_idx=0 ckn=96437a93ccf10d9dfe347846cce52c7d mi=3dfae97ed11d9ba7013cef3d mn=6 active=Yes participant=No retain=No live_peers=1 potential_peers=0 is_key_server=No is_elected=Yes uuid=84d0be70-7d9a-5dba-b0ed-139b3414cf7d
Log of wpa_supplicant:
# ./startWpaSupplicantUbuntu.sh
wpa_supplicant v2.9
random: getrandom() support available
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf 'wpa_supplicant_ubuntu.conf' driver 'macsec_linux' ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant_ubuntu.conf' -> '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
Reading configuration file '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
ctrl_interface='/var/run/wpa_supplicant'
eapol_version=3
ap_scan=0
fast_reauth=0
Line: 7 - start of a new network block
key_mgmt: 0x4
eapol_flags=0 (0x0)
macsec_policy=1 (0x1)
MKA-CAK - hexdump(len=16): [REMOVED]
MKA-CKN - hexdump(len=16): [REMOVED]
mka_priority=100 (0x64)
Priority group 0
id=0 ssid=''
driver_wired_init_common: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: 00:e1:02:00:5f:28
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eth0: WPS: UUID based on MAC address: 84d0be70-7d9a-5dba-b0ed-139b3414cf7d
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=ForceAuthorized
KaY: state machine removed
CP: state machine removed
macsec_drv_macsec_deinit
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
KaY: Create MKA (ifname=eth0 mode=PSK authenticator=No)
KaY: CKN - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: CAK - hexdump(len=16): [REMOVED]
KaY: Selected random MI: 3dfae97ed11d9ba7013cef3d
KaY: Create transmit SC - SCI: 00:e1:02:00:5f:28@1
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: eth0: create_transmit_sc -> 00:e1:02:00:5f:28::1 (conf_offset=0)
macsec_linux: eth0: create_transmit_sc: ifi=16 ifname=macsec0
macsec_linux: macsec0: try_commit controlled_port_enabled=0
macsec_linux: macsec0: try_commit protect_frames=1
macsec_linux: macsec0: try_commit encrypt=1
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
KaY: Derived KEK - hexdump(len=16): [REMOVED]
KaY: Derived ICK - hexdump(len=16): [REMOVED]
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
TDLS: Remove peers on association
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state S_FORCE_AUTH
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state IDLE
eth0: Cancelling authentication timeout
eth0: State: ASSOCIATED -> COMPLETED
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
eth0: Cancelling scan request
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28@1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 1
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: ICV - hexdump(len=16): 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
KaY: Outgoing MKPDU - hexdump(len=82): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 40 01 64 e0 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
EAPOL: disable timer tick
l2_packet_receive: src=38:45:3b:3a:a3:73 len=92
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=92): 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=106
KaY: RX EAPOL-MKA - hexdump(len=106): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=88
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=88): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73@3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 1
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Potential peer created
MI: 6961e3c6b1dddcdbd81ce04f MN: 1 SCI: 00:00:00:00:00:00@0
Potential Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 1
KaY: My MI - received MN 1, most recently transmitted MN 1
KaY: i_in_peerlist=Yes is_in_live_peer=No
KaY: Create receive SC: SCI 38:45:3b:3a:a3:73@3
KaY: Move potential peer to live peer
MI: 6961e3c6b1dddcdbd81ce04f MN: 1 SCI: 38:45:3b:3a:a3:73@3
macsec_linux: macsec0: create_receive_sc -> 38:45:3b:3a:a3:73::3 (conf_offset=0 validation=2)
KaY: Peer 6961e3c6b1dddcdbd81ce04f was elected as the key server
CTRL_IFACE monitor attached /tmp/wpa_ctrl_133358-44\x00
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=3
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=5
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=84
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28@1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 2
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 1
KaY: ICV - hexdump(len=16): fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
KaY: Outgoing MKPDU - hexdump(len=102): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 54 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
l2_packet_receive: src=38:45:3b:3a:a3:73 len=168
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=168): 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=182
KaY: RX EAPOL-MKA - hexdump(len=182): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=164
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=164): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73@3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 2
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
Live Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 2
KaY: My MI - received MN 2, most recently transmitted MN 2
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: No
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: Latest key is invalid
Distributed SAK parameter set
Distributed AN........: 0
Confidentiality Offset: 1
Body Length...........: 28
Key Number............: 1
AES Key Wrap of SAK...: - hexdump(len=24): fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4
AES Key Unwrap of SAK.: - hexdump(len=16): [REMOVED]
CP: CP entering state SECURED
macsec_drv_set_current_cipher_suite -> 0080020001000001
macsec_drv_enable_protect_frames -> TRUE
macsec_linux: macsec0: try_commit protect_frames=1
macsec_drv_enable_encrypt -> TRUE
macsec_linux: macsec0: try_commit encrypt=1
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
CP: CP entering state RECEIVE
KaY: Create receive SA(an: 0 lowest_pn: 1) of SC
macsec_linux: macsec0: create_receive_sa -> 0 on 38:45:3b:3a:a3:73::3 (enable_receive=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
KaY: Create transmit SA(an: 0, next_pn: 1) of SC
macsec_linux: macsec0: create_transmit_sa -> 0 on 00:e1:02:00:5f:28::1 (enable_transmit=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
macsec_linux: macsec0: enable_receive_sa -> 0 on 38:45:3b:3a:a3:73::3
CP: CP entering state RECEIVING
CP: CP entering state READY
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28@1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 3
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: No
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
CP: CP entering state TRANSMIT
macsec_drv_enable_controlled_port -> TRUE
macsec_linux: macsec0: try_commit controlled_port_enabled=1
macsec_linux: macsec0: enable_transmit_sa -> 0 on 00:e1:02:00:5f:28::1
macsec_linux: macsec0: try_commit encoding_sa=0
CP: CP entering state TRANSMITTING
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28@1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 4
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
CP: CP entering state RETIRE
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28@1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 5
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 2
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=150
KaY: RX EAPOL-MKA - hexdump(len=150): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=132
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=132): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73@3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 3
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
Live Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 5
KaY: My MI - received MN 5, most recently transmitted MN 5
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 a5 fc ed db e1 b4 1a 61 d8 ec 73 3a ff 9e 54 e7
eth0: Ignored received EAPOL frame since no key management is configured
Here is macsec part of ICX configuration:
dot1x-mka-enable mka-cfg-group test key-server-priority 20 macsec cipher-suite gcm-aes-128 enable-mka ethernet 1/1/4 pre-shared-key 135bd758b0ee5c11c55ff6ab19fdb199 key-name 96437a93ccf10d9dfe347846cce52c7d !
Your wpa_supplicant.config formatting looks odd in your question, but I'm guessing it works on your system based on the log output. I think you should have a new macsec0 device which handles the encryption and decryption, and that should be the interface you use once MACsec is properly configured on eth0. eth0 traffic will not be usable unless the switch side MACsec configuration allows unencrypted traffic as well as encrypted.
Summary: