EAP MSK: how is it transported between server and authenticator
Richard Chan
rspchan at starhub.net.sg
Fri Oct 10 11:26:57 CEST 2008
Let me rephrase my question in another way (hopefully clearer):
NAS acting as EAP pass-thru' device
USER ---------------------- NAS ----------------------- FREERADIUS
+++++++EAP+++++++++==EAP over RADIUS========== (****)
EAP over RADIUS uses EAP-Message attribute.
After EAP completes we have:
USER ---------------------- NAS ----------------------- FREERADIUS
MSK MSK
...but the NAS needs the MSK to do whatever layer 2 encryption scheme..
..so...
USER ---------------------- NAS ----------------------- FREERADIUS
MSK <================= MSK (OOOO)
HOW??
Ivan Kalik tnt at kalik.net suggests EAP-Message; but I think this is only
used in **** not in OOOO
Alan DeKok suggests 'Access-Accept for attributes named "key"'. I couldn't
find any such attributes, and further more where would you configure the
KEK (Key encryption key) to wrap the MSK?
I hope this makes more sense.
Example NAS:
The following NAS actually allows you to configure an AES Key Wrap secret
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42sol.html#wp1236008
This document goes on to say that it works with "a key-wrap compliant RADIUS
authentication server".
Is FreeRadius such a "key-wrap compliant RADIUS authentication server".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081010/d87cb8ab/attachment.html>
More information about the Freeradius-Users
mailing list