<div dir="ltr">Hi all,<br><br>After an EAP authentication which supports key derivation (MSK) <br>how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used?<br>(I am assuming that the EAP Server (freeradius) is a separate entity to the NAS; NAS talks to freeradius<br>
using RADIUS and acts as EAP proxy between EAP client and freeradius).<br><br>There is an IETF draft on encrypted RADIUS attributes (which specifically mentions "EAP MSK"):<br><a href="http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt">http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt</a><br>
<br>but this seems too recent to be actually used in the field (besides including undefined magic numbers).<br><br>Browsing another RADIUS server document (Cisco Secure ACS), there is a "RADIUS Key Wrap" secret<br>
that can be configured. Presumably this is used to send MSKs between server and authenticator, but once<br>again there are no details on how it is actually done. I couldn't find a similar configuration parameter in the<br>
freeradius config files, either radiusd.conf (<a href="http://wiki.freeradius.org/Radiusd.conf">http://wiki.freeradius.org/Radiusd.conf</a>) or the client side (<br><a href="http://wiki.freeradius.org/Clients.conf">http://wiki.freeradius.org/Clients.conf</a>).<br>
<br>Googling 'radius key wrap' etc doesn't lead to further enlightenment.<br><br>Tks!<br>-richard-<br><br><br></div>