> From: Raghu [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 08, 2002 11:44 PM
>
> EAP documentation is added to the cvs (doc/eap).
> Any Suggestions and feedback are welcome.
A point on the WEP key generation section:
quote
10. RADIUS server and the supplicant agree to a specific WEP key.
11. The supplicant loads the key ready for logging on.
12. The RADIUS server sends the key for this session (Session key) to the
AP.
13. The AP encrypts its Broadcast key with the Session key
14. The AP sends the encrypted key to the supplicant
15. The supplicant decrypts the Broadcast key with the Session key and
the session continues using the Broadcast and Session keys until
the session ends.
(Please note that WEP is not yet supported in freeradius)
un-quote
AFAIK the authentication server and supplicant agree on a shared session
secret, but that is not the actual WEP unicast key to be used between the
AP and STA. I believe that the key distribution actually do this:
1. the authentication server send the shared session secret to the
AP using MPPE-{Send|Recv}-Key attributes
2. the AP generates a WEP unicast key for the STA and a broadcast key
3. these keys are encrypted with the shared session secret and sent to the
STA in separate EAPOL-Key messages
This seems correct according to the behavior of the WinXP supplicant and
Lucent WavePOINT-II AP.
We actually sent a patch that implemented the generation of the keying
data in the rlm_eap_tls module a while back (June 20th), but there where
no response.
Best regards,
Henrik Eriksson
Axis Communications AB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
