MS-MPPE keys in proxy

Alan DeKok aland at
Tue Sep 18 16:33:41 CEST 2012

M Arif wrote:
> I am having trouble understanding the EAP-TLS authentication when
> requests are proxied.

  There is nothing magic.

> I want to know how MS-MPPE-Send-Key and MS-MPPE-Recv-Keys are
> transferred in proxy..

  They are transferred verbatim by the proxy.

> since these keys contain values calculated with
> EAP-Messages exchanged hashed with shared secret bla bla.

  The *values* are transferred verbatim.  The *encrypted* versions are
decrypted when the proxy receives a reply from the home server, and
encrypted by the proxy when it sends a reply to the client.

> Does the proxy
> keep its own EAP state and varialbe and calculates the Message
> Authenticator. or free-radius ignores these keys when exchanging EAP
> messages.

  That questions makes no sense.

  The process of handling the MPPE keys is *exactly* the same as
proxying User-Password.  There is no magic.  It is very simple.

  Alan DeKok.

More information about the Freeradius-Devel mailing list