<div dir="ltr"><br><br><div class="gmail_quote">On Fri, Oct 10, 2008 at 4:31 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Richard Chan wrote:<br>
> After an EAP authentication which supports key derivation (MSK)<br>
> how does freeradius transport the MSK to an NAS(authenticator)? I.e.,<br>
> what kind of attribute is used?<br>
<br>
</div> Run an EAP method. Look in the Access-Accept for attributes named "key".</blockquote><div><br>Can you provide a reference such an attribute defined? A glance through<br><a href="http://freeradius.org/rfc/attributes.html">http://freeradius.org/rfc/attributes.html</a> doesn't show any "key" attributes<br>
other than those related to MS-CHAP.<br><br>Are you referring to the attribute 'EAP-Master-Session-Key'<br>in <a href="http://tools.ietf.org/html/draft-aboba-radext-wlan-00#page-6">http://tools.ietf.org/html/draft-aboba-radext-wlan-00#page-6</a>. This attribute seems<br>
to do exactly what I was asking but this draft is superseded by a later version<br>which no longer provides an attribute to transfer MSKs. <br><a href="http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt">http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt</a> <br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<div class="Ih2E3d"><br>
> There is an IETF draft on encrypted RADIUS attributes (which<br>
> specifically mentions "EAP MSK"):<br>
> <a href="http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt" target="_blank">http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt</a><br>
> but this seems too recent to be actually used in the field (besides<br>
> including undefined magic numbers).<br>
<br>
</div> It's not relevant.</blockquote><div>Disagree - it explicitly suggests a way to transport wrapped MSKs between NAS and EAP Server.<br>How would you do it otherwise?<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">
> Browsing another RADIUS server document (Cisco Secure ACS), there is a<br>
> "RADIUS Key Wrap" secret<br>
> that can be configured. Presumably this is used to send MSKs between<br>
> server and authenticator,<br>
<br>
</div><br> That's not relevant, either.</blockquote><div>Disagree again - it's relevant insofar as it indicates that Cisco considers a need to do key wrapping between NAS<br>and EAP Server. Unfortunately the document doesn't explicitly mention that the 'RADIUS Key Wrap'<br>
shared secret is used to encrypt MSKs nor does it explain how it is used. <br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<div class="Ih2E3d"><br>
> I couldn't find a<br>
> similar configuration parameter in the<br>
> freeradius config files, either radiusd.conf<br>
> (<a href="http://wiki.freeradius.org/Radiusd.conf" target="_blank">http://wiki.freeradius.org/Radiusd.conf</a>) or the client side (<br>
> <a href="http://wiki.freeradius.org/Clients.conf" target="_blank">http://wiki.freeradius.org/Clients.conf</a>).<br>
<br>
</div> The MSK isn't configured. It's mandated by the EAP method.<br>
<font color="#888888"></font></blockquote><div>I was not referring to MSK (I know that this is an artifact of the EAP method). I was referring to the KEK that is<br>used to encrypt the MSK between FreeRADIUS and NAS. <br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font color="#888888"><br>
Alan DeKok.<br>
</font><div><div></div><div class="Wj3C7c">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>