On Fri, Oct 10, 2008 at 4:31 PM, Alan DeKok
<aland@deployingradius.com> wrote:
Richard Chan wrote:
> After an EAP authentication which supports key derivation (MSK)
> how does freeradius transport the MSK to an NAS(authenticator)? I.e.,
> what kind of attribute is used?
Run an EAP method. Look in the Access-Accept for attributes named "key".
It's not relevant.
Disagree - it explicitly suggests a way to transport wrapped MSKs between NAS and EAP Server.
How would you do it otherwise?
> Browsing another RADIUS server document (Cisco Secure ACS), there is a
> "RADIUS Key Wrap" secret
> that can be configured. Presumably this is used to send MSKs between
> server and authenticator,
That's not relevant, either.
Disagree again - it's relevant insofar as it indicates that Cisco considers a need to do key wrapping between NAS
and EAP Server. Unfortunately the document doesn't explicitly mention that the 'RADIUS Key Wrap'
shared secret is used to encrypt MSKs nor does it explain how it is used.
The MSK isn't configured. It's mandated by the EAP method.
I was not referring to MSK (I know that this is an artifact of the EAP method). I was referring to the KEK that is
used to encrypt the MSK between FreeRADIUS and NAS.
Alan DeKok.