EAP MSK: how is it transported between server and authenticator
Alan DeKok
aland at deployingradius.com
Fri Oct 10 10:31:25 CEST 2008
Richard Chan wrote:
> After an EAP authentication which supports key derivation (MSK)
> how does freeradius transport the MSK to an NAS(authenticator)? I.e.,
> what kind of attribute is used?
Run an EAP method. Look in the Access-Accept for attributes named "key".
> There is an IETF draft on encrypted RADIUS attributes (which
> specifically mentions "EAP MSK"):
> http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt
> but this seems too recent to be actually used in the field (besides
> including undefined magic numbers).
It's not relevant.
> Browsing another RADIUS server document (Cisco Secure ACS), there is a
> "RADIUS Key Wrap" secret
> that can be configured. Presumably this is used to send MSKs between
> server and authenticator,
That's not relevant, either.
> I couldn't find a
> similar configuration parameter in the
> freeradius config files, either radiusd.conf
> (http://wiki.freeradius.org/Radiusd.conf) or the client side (
> http://wiki.freeradius.org/Clients.conf).
The MSK isn't configured. It's mandated by the EAP method.
Alan DeKok.
More information about the Freeradius-Users
mailing list