> From: Raghu [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 09, 2002 7:35 PM > > > AFAIK the authentication server and supplicant agree on a > shared session > > secret, but that is not the actual WEP unicast key to be > used between the > > AP and STA. I believe that the key distribution actually do this: > > 1. the authentication server send the shared session secret to the > > AP using MPPE-{Send|Recv}-Key attributes > > 2. the AP generates a WEP unicast key for the STA and a > broadcast key > > 3. these keys are encrypted with the shared session secret > and sent to the > > STA in separate EAPOL-Key messages > > This seems correct according to the behavior of the WinXP > supplicant and > > Lucent WavePOINT-II AP. > > > If you have already tested it I would like to take your point. > If I got your point right then, > > 1. Authentication server generates Session Secret, but not > Session Key, > and sends it to both supplicant and AP. > 2. AP generates both Session(Unicast) Key and Broadcast Key > and encrypts > them using Session Secret and sends to the supplicant. > 3. Supplicant decrypts Session(Unicast) Key and Broadcast key > using the > Session Secret that it got from Authentication Server. > > Please correct me if I am wrong. > I would appreciate if you can send some links/documents > confirming this.
Section 4 of the "IEEE 802.1X RADIUS Usage Guidelines" I-D <URL:http://www.ietf.org/internet-drafts/draft-congdon-radius-8021x-20.txt> combined with section 3.5 of rfc 2716 should cover most of it. > I was on vacation last month and I might have missed many mails. > I just got your patch from the archives. > > Your patch looks good to me except for use of VSA (MS-MPPE-...). > I am still not sure, if the supplicant is linux based and > cisco AP is used, > What Radius attributes should be used for these key sharing? Which Radius attributes are used to send the keying data to the AP doesn't matter to the supplicant since it only sees the EAPOL-Key messages over 802.11. We didn't test with the Xsupplicant (we may do that when we get time, but don't hold your breath) but the code seems to work like the described behavior. Cisco APs use the same Radius attributes (it'd be pretty weird if they didn't). We did not test that with freeradius EAP-TLS, but we did trace the communication between a Cisco AP and Win2k radius during an EAP-TLS authentication. Best regards, Henrik Eriksson Axis Communications AB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
