EAP MSK: how is it transported between server and authenticator

Phil Mayers p.mayers at imperial.ac.uk
Fri Oct 10 11:32:45 CEST 2008


Richard Chan wrote:
> Let me rephrase my question in another way (hopefully clearer):
> 
> NAS acting as EAP pass-thru' device
> 
> USER ----------------------  NAS -----------------------  FREERADIUS
> +++++++EAP+++++++++==EAP over RADIUS==========  (****)
> 
> EAP over RADIUS uses EAP-Message attribute.
> 
> 
> After EAP completes we have:
> 
> USER ----------------------  NAS -----------------------  FREERADIUS
>  MSK                                                              MSK
> 
> ...but the NAS needs the MSK to do whatever layer 2 encryption scheme..
> ..so...
> 
> USER ----------------------  NAS -----------------------  FREERADIUS
>  MSK                              <================= MSK          (OOOO)
>                                             HOW??

See my other email. MSK is not sent to the nas. SSK (derived from MSK) 
is, and it's sent in the attributes:

MS-MPPE-Send-Key
MS-MPPE-Recv-Key

...even if the EAP method is not MS-CHAP based.



More information about the Freeradius-Users mailing list