EAP MSK: how is it transported between server and authenticator

Richard Chan rspchan at starhub.net.sg
Fri Oct 10 11:02:54 CEST 2008


On Fri, Oct 10, 2008 at 4:31 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Richard Chan wrote:
> > After an EAP authentication which supports key derivation (MSK)
> > how does freeradius transport the MSK to an NAS(authenticator)? I.e.,
> > what kind of attribute is used?
>
>   Run an EAP method.  Look in the Access-Accept for attributes named "key".


Can you provide a reference such an attribute defined? A glance through
http://freeradius.org/rfc/attributes.html doesn't show any "key" attributes
other than those related to MS-CHAP.

Are you referring to the attribute 'EAP-Master-Session-Key'
in http://tools.ietf.org/html/draft-aboba-radext-wlan-00#page-6. This
attribute seems
to do exactly what I was asking but this draft  is superseded by a later
version
which no longer provides an attribute to transfer MSKs.
http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt

>
>
> > There is an IETF draft on encrypted RADIUS attributes (which
> > specifically mentions "EAP MSK"):
> > http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt
> > but this seems too recent to be actually used in the field (besides
> > including undefined magic numbers).
>
>   It's not relevant.

Disagree - it explicitly suggests a way to transport wrapped MSKs between
NAS and EAP Server.
How would you do it otherwise?


> > Browsing another RADIUS server document (Cisco Secure ACS), there is a
> > "RADIUS Key Wrap" secret
> > that can be configured. Presumably this is used to send MSKs between
> > server and authenticator,
>
>
>  That's not relevant, either.

Disagree again - it's relevant insofar as it indicates that Cisco considers
a need to do key wrapping between NAS
and EAP Server. Unfortunately the document doesn't explicitly mention that
the 'RADIUS Key Wrap'
shared secret is used to encrypt MSKs nor does it explain how it is used.


>
>
> > I couldn't find a
> > similar configuration parameter in the
> > freeradius config files, either radiusd.conf
> > (http://wiki.freeradius.org/Radiusd.conf) or the client side (
> > http://wiki.freeradius.org/Clients.conf).
>
>   The MSK isn't configured.  It's mandated by the EAP method.
>
I was not referring to MSK (I know that this is an artifact of the EAP
method). I was referring to the KEK that is
used to encrypt the MSK between FreeRADIUS and NAS.

>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081010/fda34048/attachment.html>


More information about the Freeradius-Users mailing list