SOLVED
Hi,
You can refer below link for Access SecurityGuide:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us
Thanks!
Hi @Dennis_Aruba !
It's kind of unusual request as MACsec is used for Ethernet traffic security and 802.11 protocols have their own security mechanisms - WPA, WPA2, WPA3 etc. So first, MACsec over WDS is redundant and second, it can be hit and miss depending on the actual AP hardware and software. I couldn't find any document describing this corner case with Aruba APs, but for switches you need to use the guide @akg7 provided, the "Infrastructure MACsec" section is what you need. Switches themselves don't need to know anything about WDS bridge, so from their perspective that bridge is just a direct link and no additional configuration is required. But without test I can't guarantee the WDS bridge between APs will allow MACsec traffic. From my side I forsee possible issues with EAPOL-MKA exchange as many WDS implementations do not bridge EAPOL packets. And without EAPOL-MKA successful exchange switches won't be able to establish MKA session.
Typically infrastructure MACsec is used in P2P links where you have only two participants since we speak about switches here, not hubs. Unfortunately you are right and documentation for these switches doesn't state clearly if group CAKs are supported and can you use 3 and more switches with one shared CAK on one link. I think it may have issues with replay protection... For example ArubaOS-CX guides clearly says "Provides Layer 2 hop-by-hop encryption on point-to-point Ethernet links.", and I doubt 2930 to have more extended feature than those. And also typically when a vendor supports group CAK there is a configuration abstraction for multiple key storage, like a keychain. There is no such in 2930...
But as with WDS - only a test can reveal the truth as this is really a corner case.