Question about wpa_supplicant for 802.1x wired authentication
Sanchez, Ricardo J
Wed Apr 6 18:45:03 PDT 2005
Glad to hear that the wired authentication is working now.
I have been using Xsupplicant with PEAP (MS-CHAP-v2)
in conjunction with hostapd (authenticator) and a Cisco ACS
(Radius server) for testing authentication and
it all works fine. However, I want to experiment with
the key hierarchy and have configured wpa_supplicant
to obtain the master keying information from Xsupplicant
using a wired driver.
On the authenticator side, I have noticed that in the last
Access-Accept message from Radius there are two "MS MPPE keys"
(MS MPPE Recv Key & MS MPPE Send Key) encrypted as Radius attributes.
The authenticator then performs a decryption of those keys
and generates two 32-bytes unencrypted keys for peer encryption
and EAP-server encryption.
On the supplicant side, Xsupplicant derives keying information
after the last EAP-SUCCESS message is received from the authenticator
and pass it on to the wpa_supplicant. I have noticed that
this "master" key is 32 bytes long but it does not resemble in
any way any of the unencrypted MPPE keys residing in the authenticator.
Isn't it true that the derived master key (or PMK) has to be the same
on both supplicant and authenticator? What is exactly used as PMK on the
wpa_supplicant (w/ Xsupplicant) and on the hostapd (authenticator)?
Does the PMK passed to the wpa_supplicant goes thru
another transformation/manipulation to obtain the actual PMK that
matches the one on the authenticator?
I appreciate any clarifications in this regards, Thanks!
Ricardo J Sanchez
More information about the Hostap