> A point on the WEP key generation section:
> quote
> 10. RADIUS server and the supplicant agree to a specific WEP key.
> 11. The supplicant loads the key ready for logging on.
> 12. The RADIUS server sends the key for this session (Session key) to the
AP.
> 13. The AP encrypts its Broadcast key with the Session key
> 14. The AP sends the encrypted key to the supplicant
> 15. The supplicant decrypts the Broadcast key with the Session key and
> the session continues using the Broadcast and Session keys until
> the session ends.
> (Please note that WEP is not yet supported in freeradius)
> un-quote
> AFAIK the authentication server and supplicant agree on a shared session
> secret, but that is not the actual WEP unicast key to be used between the
> AP and STA. I believe that the key distribution actually do this:
> 1. the authentication server send the shared session secret to the
> AP using MPPE-{Send|Recv}-Key attributes
> 2. the AP generates a WEP unicast key for the STA and a broadcast key
> 3. these keys are encrypted with the shared session secret and sent to the
> STA in separate EAPOL-Key messages
> This seems correct according to the behavior of the WinXP supplicant and
> Lucent WavePOINT-II AP.
If you have already tested it I would like to take your point.
If I got your point right then,
1. Authentication server generates Session Secret, but not Session Key,
and sends it to both supplicant and AP.
2. AP generates both Session(Unicast) Key and Broadcast Key and encrypts
them using Session Secret and sends to the supplicant.
3. Supplicant decrypts Session(Unicast) Key and Broadcast key using the
Session Secret that it got from Authentication Server.
Please correct me if I am wrong.
I would appreciate if you can send some links/documents confirming this.
> We actually sent a patch that implemented the generation of the keying
> data in the rlm_eap_tls module a while back (June 20th), but there where
> no response.
I was on vacation last month and I might have missed many mails.
I just got your patch from the archives.
Your patch looks good to me except for use of VSA (MS-MPPE-...).
I am still not sure, if the supplicant is linux based and cisco AP is used,
What Radius attributes should be used for these key sharing?
Please CC me, as I am not subscribed to the list currently.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
