Henrik Eriksson wrote:
>>From: Raghu [mailto:[EMAIL PROTECTED]] >>Sent: Tuesday, July 09, 2002 7:35 PM >> >> >>If you have already tested it I would like to take your point. >>If I got your point right then, >> >>1. Authentication server generates Session Secret, but not >>Session Key, >> and sends it to both supplicant and AP. >>2. AP generates both Session(Unicast) Key and Broadcast Key >>and encrypts >> them using Session Secret and sends to the supplicant. >>3. Supplicant decrypts Session(Unicast) Key and Broadcast key >>using the >> Session Secret that it got from Authentication Server. >> >>Please correct me if I am wrong. >>I would appreciate if you can send some links/documents >>confirming this. >> > >Section 4 of the "IEEE 802.1X RADIUS Usage Guidelines" I-D ><URL:http://www.ietf.org/internet-drafts/draft-congdon-radius-8021x-20.txt> >combined with section 3.5 of rfc 2716 should cover most of it. > Thankyou for the link. The draft has no reference about the above 3 step sequence. If possible, can you send more links/documents in this regard. > > >>I was on vacation last month and I might have missed many mails. >>I just got your patch from the archives. >> >>Your patch looks good to me except for use of VSA (MS-MPPE-...). >>I am still not sure, if the supplicant is linux based and >>cisco AP is used, >>What Radius attributes should be used for these key sharing? >> > >Which Radius attributes are used to send the keying data to >the AP doesn't matter to the supplicant since it only sees >the EAPOL-Key messages over 802.11. We didn't test with the >Xsupplicant (we may do that when we get time, but don't hold >your breath) but the code seems to work like the described >behavior. > >Cisco APs use the same Radius attributes (it'd be pretty weird >if they didn't). We did not test that with freeradius EAP-TLS, >but we did trace the communication between a Cisco AP and Win2k >radius during an EAP-TLS authentication. > I am not sure I made my point clear. Cisco AP & linux supplicant are just an example to refer to non MS. To pass 802.11 EAPOL key messages from RADIUS Server to AP to suppliant (no matter, which RADIUS Server, AP and Supplicant are used) they need to support Microsoft dictionary. As they use MS-MPPE-.. VSAs. This is weird. Unfortunately "IEEE 802.1X RADIUS Usage Guidelines" also talks about the use of these MS-MPPE-... VSAs. I expect something like IEEE802 dictionary and if the APs claim to support 802.11 EAPOL key messages, then it is understood that one of the VSAs from this IEEE802 dictionary are used. I hope you got my point. What is your opinion on the following snip from "IEEE 802.1X RADIUS Usage Guidelines" <snip> 5.7. Key management issues The EAPOL-Key descriptor described in Section 4 is likely to be deprecated in the future, when the 802.11 enhanced security group completes its work. Known security issues include: <snip> -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
