EAP MSK: how is it transported between server and authenticator
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 10 11:32:45 CEST 2008
Richard Chan wrote:
> Let me rephrase my question in another way (hopefully clearer):
>
> NAS acting as EAP pass-thru' device
>
> USER ---------------------- NAS ----------------------- FREERADIUS
> +++++++EAP+++++++++==EAP over RADIUS========== (****)
>
> EAP over RADIUS uses EAP-Message attribute.
>
>
> After EAP completes we have:
>
> USER ---------------------- NAS ----------------------- FREERADIUS
> MSK MSK
>
> ...but the NAS needs the MSK to do whatever layer 2 encryption scheme..
> ..so...
>
> USER ---------------------- NAS ----------------------- FREERADIUS
> MSK <================= MSK (OOOO)
> HOW??
See my other email. MSK is not sent to the nas. SSK (derived from MSK)
is, and it's sent in the attributes:
MS-MPPE-Send-Key
MS-MPPE-Recv-Key
...even if the EAP method is not MS-CHAP based.
More information about the Freeradius-Users
mailing list