EAP MSK: how is it transported between server and authenticator

Richard Chan rspchan at starhub.net.sg
Fri Oct 10 11:08:45 CEST 2008


>
> EAP-Message would be the obvious candidate.
>
>
>
I don't think this can be correct:

EAP-Message is used between  NAS and FreeRadius to encapsulate the EAP
protocol between client and server.

The NAS couldn't tell that a particular EAP-Message should terminate at
itself in order to extract an MSK; it would just de-capsulate and pass the
payload to the peer (functioning as an EAP proxy).

Notice the Zorn draft RFC doesn't use EAP-Message; it puts an encrypted MSK
in an extended attribute.
This kind of makes sense since it would be clear to the NAS that it is the
intended termination point.

My question was how is it done today in the field (pre this draft becoming
and RFC).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081010/d712cbcb/attachment.html>


More information about the Freeradius-Users mailing list