Hi all, After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used? (I am assuming that the EAP Server (freeradius) is a separate entity to the NAS; NAS talks to freeradius using RADIUS and acts as EAP proxy between EAP client and freeradius). There is an IETF draft on encrypted RADIUS attributes (which specifically mentions "EAP MSK"): http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt but this seems too recent to be actually used in the field (besides including undefined magic numbers). Browsing another RADIUS server document (Cisco Secure ACS), there is a "RADIUS Key Wrap" secret that can be configured. Presumably this is used to send MSKs between server and authenticator, but once again there are no details on how it is actually done. I couldn't find a similar configuration parameter in the freeradius config files, either radiusd.conf ( http://wiki.freeradius.org/Radiusd.conf) or the client side ( http://wiki.freeradius.org/Clients.conf). Googling 'radius key wrap' etc doesn't lead to further enlightenment. Tks! -richard-