Ok, I have more context for my question: Does Freeradius support something similar to Cisco's use of key-wrap as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18 ? In their implementation they define a way to securely transmit cryptographic keying material (such as from an EAP conversation) between NAS and Radius server using a a keywrap around the keying material to protect encryption key distribution. Supposedly this "protects" a man-in-the-middle from grabbing the EAP keys? I'm not sure how this increases security because you can't do anything with the public keys anyway. But I suppose it's a "stronger" way of encrypting that information as opposed to the standard hash that's currently done. The reason I'm asking, I'm doing some contract work for a university. The bosses want to know, presumably because they have some compliance requirements they need to satisfy. I see a few past discussion of this from the mailing list, but no clear answer on whether freeradius does this. -- --- Michael Martinez http://www.michael--martinez.com