EAP-PSK : 16 bytes Pre shared key not configured

Phil Mayers p.mayers at imperial.ac.uk
Thu Sep 27 12:49:38 CEST 2012

On 27/09/12 09:37, alan buxey wrote:
> Hi,
>> I've been hassling people who use it as to which EAP method they
>> need that's missing. A couple of them have been eap-psk (anyone know
>> why the sudden interest in that?). I've got a 5000 word assignment
> some student project?

Yeah, I'm doing a 2nd degree in my spare time - broaden my horizons, eat 
up all my spare time, make me grit my teeth, etc. ;o)

> the current thing that holds interest for me is EAP-FAST - and therefore, in the future
> EAP-FAST is currently the mechanism buried inside Ciscos MACSEC TrustSec

FAST and TEAP are a bit... thorny. I guess in response to how horrible 
LEAP was, they've layered on a *lot* of stuff in there - multiple 
per-inner-exchange crypto (re)binding, and the PAC stuff.

It's not entirely clear to me that OpenSSL provides the required APIs to 
do everything that FAST/TEAP can on the server-side, but I think so, 
largely as a result of Jouni Malinen hassling the OpenSSL guys to take 
his patches:


...although the sheer amount of *time* that took concerns me; if there's 
a missing API it'll be *forever* before it's corrected.

I'd like to implement TEAP, if only because it's a good tickbox. I'm 
less keen on FAST, since it's been theoretically superseded by TEAP, and 
unlike PEAP/TTLS, FAST was never widely adopted. If FAST is easy by 
re-using TEAP code, then that's good.

w.r.t. FAST/TEAP there are a couple of things to sort out conceptually, 
specifically how to handle the support for multiple inner auths, and how 
to "signal" which order and what the required chaining is. Until I have 
a working prototype, it's difficult to wrap my head around.

Anyway - when I get a github branch working I'll discuss on -devel. 
Unless someone beats me to it, which will make me happy ;o)

More information about the Freeradius-Users mailing list