EAP MSK: how is it transported between server and authenticator
Richard Chan
rspchan at starhub.net.sg
Fri Oct 10 03:19:22 CEST 2008
Hi all,
After an EAP authentication which supports key derivation (MSK)
how does freeradius transport the MSK to an NAS(authenticator)? I.e., what
kind of attribute is used?
(I am assuming that the EAP Server (freeradius) is a separate entity to the
NAS; NAS talks to freeradius
using RADIUS and acts as EAP proxy between EAP client and freeradius).
There is an IETF draft on encrypted RADIUS attributes (which specifically
mentions "EAP MSK"):
http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt
but this seems too recent to be actually used in the field (besides
including undefined magic numbers).
Browsing another RADIUS server document (Cisco Secure ACS), there is a
"RADIUS Key Wrap" secret
that can be configured. Presumably this is used to send MSKs between server
and authenticator, but once
again there are no details on how it is actually done. I couldn't find a
similar configuration parameter in the
freeradius config files, either radiusd.conf (
http://wiki.freeradius.org/Radiusd.conf) or the client side (
http://wiki.freeradius.org/Clients.conf).
Googling 'radius key wrap' etc doesn't lead to further enlightenment.
Tks!
-richard-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081010/5e9c1130/attachment.html>
More information about the Freeradius-Users
mailing list