AVP EAP-KEY name support in FR

Phil Mayers p.mayers at imperial.ac.uk
Thu Feb 14 15:09:02 CET 2013

On 14/02/13 14:01, Alan DeKok wrote:
> Srinu Bandari wrote:
>> EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102).
>    Sure.  But it's been hard to find out what is put *into* it.  That
> link has been missing.
>> This what Cisco Documentation states:
>> "The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message."
>>  From 802.1X:
>> The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id
>    OK.
>> So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message.
>    That's not clear to me from the above description.  But if it works...

Yeah, I got super-confused about all the EAP-Key-Name stuff when I 
looked a couple of months ago.

Does anyone know if there's known-good test data we can compare against, 
or a client/application that validates it? Does eapol_test 
implement/check it?

More information about the Freeradius-Users mailing list