Media Access Control Security (
MACsec, IEEE 802.1AE) encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm.
MACsec can protect not only
IP but also Address Resolution Protocol (ARP), Neighbor Discovery (ND), or
IPsec operates on the network layer (layer 3) and
TLS on the application layer (layer 7),
MACsec operates in the data link layer (layer 2). Combine
MACsec with security protocols for other networking layers to take advantage of different security features that these standards provide.
MACsec with a switch that performs authentication using a pre-shared Connectivity Association Key/CAK Name (CAK/CKN) pair:
Create a CAK/CKN pair. For example, the following command generates a 16-byte key in hexadecimal notation:
dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"'
wpa_supplicant.conf configuration file and add the following lines to it:
mka_cak=0011... # 16 bytes hexadecimal
mka_ckn=2233... # 32 bytes hexadecimal
Use the values from the previous step to complete the
mka_ckn lines in the
wpa_supplicant.conf configuration file.
wpa_supplicant.conf(5) man page for more information.
Assuming you are using eth0 to connect to your network, start wpa_supplicant using the following command:
wpa_supplicant -i eth0 -Dmacsec_linux -c wpa_supplicant.conf
Instead of creating and editing the
wpa_supplicant.conf file, Red Hat recommends using the
nmcli command to configure wpa_supplicant equivalently as in the previous steps. The following example assumes that you already have a 16-byte hexadecimal CAK (
$MKA_CAK) and a 32-byte hexadecimal CKN (
~]# nmcli connection add type macsec \
con-name test-macsec+ ifname macsec0 \
connection.autoconnect no \
macsec.parent eth0 macsec.mode psk \
macsec.mka-cak $MKA_CAK \
macsec.mka-cak-flags 0 \
~]# nmcli connection up test-macsec+
After this step, the macsec0 device should be configured and used for networking.