AVP EAP-KEY name support in FR

Alan DeKok aland at deployingradius.com
Thu Feb 14 15:01:06 CET 2013

Srinu Bandari wrote:
> EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102).

  Sure.  But it's been hard to find out what is put *into* it.  That
link has been missing.

> This what Cisco Documentation states:
> "The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message."
> From 802.1X:
> The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id


> So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message.

  That's not clear to me from the above description.  But if it works...

  We'll be releasing 2.2.1 shortly.  I think this change can go into it.

  Alan DeKok.

More information about the Freeradius-Users mailing list