EAP MSK: how is it transported between server and authenticator

Richard Chan rspchan at starhub.net.sg
Fri Oct 10 11:26:57 CEST 2008


Let me rephrase my question in another way (hopefully clearer):

NAS acting as EAP pass-thru' device

USER ----------------------  NAS -----------------------  FREERADIUS
+++++++EAP+++++++++==EAP over RADIUS==========  (****)

EAP over RADIUS uses EAP-Message attribute.


After EAP completes we have:

USER ----------------------  NAS -----------------------  FREERADIUS
 MSK                                                              MSK

...but the NAS needs the MSK to do whatever layer 2 encryption scheme..
..so...

USER ----------------------  NAS -----------------------  FREERADIUS
 MSK                              <================= MSK          (OOOO)
                                            HOW??

Ivan Kalik tnt at kalik.net suggests EAP-Message; but I think this is only
used in **** not in OOOO

Alan DeKok suggests 'Access-Accept for attributes named "key"'. I couldn't
find any such attributes, and further more where would you configure the
KEK (Key encryption key) to wrap the MSK?


I hope this makes more sense.

Example NAS:

The following NAS actually allows you to configure an AES Key Wrap secret
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42sol.html#wp1236008

This document goes on to say that it works with "a key-wrap compliant RADIUS
authentication server".
Is FreeRadius such a "key-wrap compliant RADIUS authentication server".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081010/d87cb8ab/attachment.html>


More information about the Freeradius-Users mailing list