Let me rephrase my question in another way (hopefully clearer): NAS acting as EAP pass-thru' device USER ---------------------- NAS ----------------------- FREERADIUS +++++++EAP+++++++++==EAP over RADIUS========== (****) EAP over RADIUS uses EAP-Message attribute. After EAP completes we have: USER ---------------------- NAS ----------------------- FREERADIUS MSK MSK ...but the NAS needs the MSK to do whatever layer 2 encryption scheme.. ..so... USER ---------------------- NAS ----------------------- FREERADIUS MSK <================= MSK (OOOO) HOW?? Ivan Kalik tnt@kalik.net suggests EAP-Message; but I think this is only used in **** not in OOOO Alan DeKok suggests 'Access-Accept for attributes named "key"'. I couldn't find any such attributes, and further more where would you configure the KEK (Key encryption key) to wrap the MSK? I hope this makes more sense. Example NAS: The following NAS actually allows you to configure an AES Key Wrap secret http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/... This document goes on to say that it works with "a key-wrap compliant RADIUS authentication server". Is FreeRadius such a "key-wrap compliant RADIUS authentication server".