Question about wpa_supplicant for 802.1x wired authentication

Sanchez, Ricardo J ricardo.j.sanchez
Thu Apr 7 13:50:53 PDT 2005


My setup is geared toward wired, not wireless, user authentication
using 802.1X. After the user authentication completes, we go further
and attempt to encrypt data over the supplicant/authenticator using 
derived keying material. This is all experimental and not conventional
setup, similar to 802.11i but in a different form, to perform 
data encryption over the wired link between the supplicant/authenticator
and using IEEE 802.1X EAPOL-Key frames to exchange the keying material.

Stated that, I started with Xsupplicant as a framework to generate
the keying material after successful completion of a PEAP-MSCHAPv2
Why we started with Xsupplicant is irrelevant, but I was hoping that
the PMK derived from the Xsupplicant (and passed to wpa_supplicant)
will be the same as the PMK on the authenticator after decrypting
MS-MPPE-{Recv,Send}-Key radius attributes (in fact only the unencrypted
MS-MPPE-Recv-Key should be used as the PMK on the authenticator from
I read in one of the IETF drafts). I understand now that wpa_supplicant 
really didn't do anything with this keying material in this particular
but I would like to understand how it works from your design.

Assuming that our setup is configured for WPA on the supplicant, and
wired authentication for a moment, my question is at what point should 
I expect to have "equal" PMKs on both supplicant and authenticator? 
Does the authenticator use the truncated 32-bytes of MS-MPPE-Recv-Key as
the PMK? 
As for the supplicant, and assuming the keying material is obtained from
is the 32-bytes passed from the Xsupplicant as keying material used
directly as 
the PMK by wpa_supplicant? 

Despite the fact that our setup uses wired authentication and I perform
a successful user authentication session, I have yet to see equal PMKs
at both end of the supplicant/authenticator link.

Thanks for your efforts by the way.
- Ricardo

On Wed, Apr 06, 2005 at 06:45:03PM -0700, Sanchez, Ricardo J wrote:

> I have been using Xsupplicant with PEAP (MS-CHAP-v2) 
> in conjunction with hostapd (authenticator) and a Cisco ACS
> (Radius server) for testing authentication and 
> it all works fine. However, I want to experiment with
> the key hierarchy and have configured wpa_supplicant 
> to obtain the master keying information from Xsupplicant
> using a wired driver.

I do not understand fully what you are trying to do here.. Xsupplicant
can be used as an external EAP peer for wpa_supplicant, but that is not
needed (nor recommended anymore) and anyway, it would only be used for
WPA/WPA2, i.e., when 4-Way Handshake is used. There is not much point in
using this for wired authentication since wpa_supplicant would not
really be used for anything in that case. If you want to use Xsupplicant
for EAP, I don't see why you would use it with wpa_supplicant in case of
wired authentication.

> On the authenticator side, I have noticed that in the last
> Access-Accept message from Radius there are two "MS MPPE keys" 
> (MS MPPE Recv Key & MS MPPE Send Key) encrypted as Radius attributes. 

That's correct.

> The authenticator then performs a decryption of those keys
> and generates two 32-bytes unencrypted keys for peer encryption
> and EAP-server encryption.

I'm not sure what you mean with peer encryption and EAP-server
encryption, but yes, Authenticator does indeed decrypt the
MS-MPPE-{Recv,Send}-Key attributes.

> On the supplicant side, Xsupplicant derives keying information
> after the last EAP-SUCCESS message is received from the authenticator
> and pass it on to the wpa_supplicant. I have noticed that 
> this "master" key is 32 bytes long but it does not resemble in 
> any way any of the unencrypted MPPE keys residing in the
> Isn't it true that the derived master key (or PMK) has to be the same
> on both supplicant and authenticator?

Yes, PMK does indeed need to be same.

> What is exactly used as PMK on the
> wpa_supplicant (w/ Xsupplicant) and on the hostapd (authenticator)? 
> Does the PMK passed to the wpa_supplicant goes thru 
> another transformation/manipulation to obtain the actual PMK that 
> matches the one on the authenticator?

No, it is supposed to be same. Anyway, I don't really see what you are
trying to do here, since PMK is not really used in case of wired
authentication.. It would be useful if you are setting data encryption
keys, e.g., with WPA/WPA2 or IEEE 802.1X EAPOL-Key frames.

Jouni Malinen                                            PGP id EFC895FA

Ricardo J Sanchez

More information about the Hostap mailing list