On 14/02/13 14:01, Alan DeKok wrote:
Srinu Bandari wrote:
EAP key identifier must be sent as a part of Access-Accept message in EAP
Key-Name AVP (Radius Attribute Type 102).
Sure. But it's been hard to find out what is put *into* it. That
link has been missing.
This what Cisco Documentation states:
"The switch has no visibility into the details of the EAP session between the
supplicant and the authentication server, so it cannot derive the MSK or the CAK
directly. Instead, the switch receives the CAK from the authentication server in the
Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered
in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key.
Along with the CAK, the authentication server sends an EAP key identifier that is derived
from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute
of the Access-Accept message."
From 802.1X:
The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247
and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to
convey the EAP Session-Id
OK.
So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type
102) part of Access-Accept message.
That's not clear to me from the above description. But if it works...
Yeah, I got super-confused about all the EAP-Key-Name stuff when I
looked a couple of months ago.
Does anyone know if there's known-good test data we can compare against,
or a client/application that validates it? Does eapol_test
implement/check it?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
