Richard Chan wrote:
After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used?
Run an EAP method. Look in the Access-Accept for attributes named "key".
There is an IETF draft on encrypted RADIUS attributes (which specifically mentions "EAP MSK"): http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt but this seems too recent to be actually used in the field (besides including undefined magic numbers).
It's not relevant.
Browsing another RADIUS server document (Cisco Secure ACS), there is a "RADIUS Key Wrap" secret that can be configured. Presumably this is used to send MSKs between server and authenticator,
That's not relevant, either.
I couldn't find a similar configuration parameter in the freeradius config files, either radiusd.conf (http://wiki.freeradius.org/Radiusd.conf) or the client side ( http://wiki.freeradius.org/Clients.conf).
The MSK isn't configured. It's mandated by the EAP method. Alan DeKok.