Question about wpa_supplicant for 802.1x wired authentication

Sanchez, Ricardo J ricardo.j.sanchez
Wed Apr 6 18:45:03 PDT 2005

Glad to hear that the wired authentication is working now.
I have been using Xsupplicant with PEAP (MS-CHAP-v2) 
in conjunction with hostapd (authenticator) and a Cisco ACS
(Radius server) for testing authentication and 
it all works fine. However, I want to experiment with
the key hierarchy and have configured wpa_supplicant 
to obtain the master keying information from Xsupplicant
using a wired driver.

On the authenticator side, I have noticed that in the last
Access-Accept message from Radius there are two "MS MPPE keys" 
(MS MPPE Recv Key & MS MPPE Send Key) encrypted as Radius attributes. 
The authenticator then performs a decryption of those keys
and generates two 32-bytes unencrypted keys for peer encryption
and EAP-server encryption.

On the supplicant side, Xsupplicant derives keying information
after the last EAP-SUCCESS message is received from the authenticator
and pass it on to the wpa_supplicant. I have noticed that 
this "master" key is 32 bytes long but it does not resemble in 
any way any of the unencrypted MPPE keys residing in the authenticator.
Isn't it true that the derived master key (or PMK) has to be the same
on both supplicant and authenticator? What is exactly used as PMK on the

wpa_supplicant (w/ Xsupplicant) and on the hostapd (authenticator)? 
Does the PMK passed to the wpa_supplicant goes thru 
another transformation/manipulation to obtain the actual PMK that 
matches the one on the authenticator?

I appreciate any clarifications in this regards, Thanks!

- Ricardo
Ricardo J Sanchez

More information about the Hostap mailing list