How to catch the MSK (Master Session Key) from Wpa_supplicant?
Douglas Diniz
dgdiniz
Mon Apr 14 10:57:41 PDT 2008
>What is the interface between the third and fourth computers in this
>case? Is that defined in some standard or is it something specific for
>this particular setup? Is this something for a small test setup or is
>this aimed at longer term production use?
The interface between the bs and ss is wireless (802.16). This is aimed at
longer term production use.
>WiMax does not use IEEE 802.1X (EAPOL frames), so I would assume you
>have some type of translation mechanism between wpa_supplicant (on the
>fourth computer) and SS. In general, that is unlikely to be the cleanest
>way of supporting WiMax authentication with wpa_supplicant, but since I
>do not know the details of the design you have between third and fourth
>computers, it is unclear to me whether there would be a better way for
>this particular case.
Between Freeradius and Bs, and wpa supplicant and Ss, the interface is
ethernet. When Ss receive a eapol packet from wpa supplicant I send the raw
eap packet as a payload inside a specific message that the Ss software will
handle and send to Bs.
When Bs receive this message, the Bs software will send this raw eap
payload to me, and I will send it to freeradius over a Radius Message.
At the end of authentication, I must use the Msk as I said. The Bs and Ss
softwares are already implemented to process the Msk. My job finish when I
send the msk to Bs and SS.
The manufactor of the Bs/Ss software has this scenario implemented, and i'm
in contact to discover how they send the msk to Bs/Ss.
Thanks.
On Mon, Apr 14, 2008 at 2:24 PM, Jouni Malinen <j at w1.fi> wrote:
> On Sun, Apr 13, 2008 at 11:10:01AM -0300, Douglas Diniz wrote:
>
> > Well, I have here a WiMax setup, where the Bs (Base Station) must
> > authenticate the SS (Subscriber Station). The second computer in my
> example
> > is the Bs, and the third is SS. So, i have a freeradius connected to the
> Bs,
> > and wpa supplicant connected to the SS.
>
> What is the interface between the third and fourth computers in this
> case? Is that defined in some standard or is it something specific for
> this particular setup? Is this something for a small test setup or is
> this aimed at longer term production use?
>
> WiMax does not use IEEE 802.1X (EAPOL frames), so I would assume you
> have some type of translation mechanism between wpa_supplicant (on the
> fourth computer) and SS. In general, that is unlikely to be the cleanest
> way of supporting WiMax authentication with wpa_supplicant, but since I
> do not know the details of the design you have between third and fourth
> computers, it is unclear to me whether there would be a better way for
> this particular case.
>
> > I already have an encryption framework done, so after authentication I
> must
> > send the MSK to Bs and SS (not over air between BS and SS) and this
> > framework handle the encryptation for me in the next phase.
> > From the Bs side everything is ok, because freeradius send the Msk to
> BS.
> > The problem is to make the SS receive the Msk from wpa supplicant.
>
> Have you changed wpa_supplicant for other details of the system or is
> everything else taken care with some kind of translation service for the
> EAPOL frames? Since WiMax does not use EAPOL, it would probably be
> better to interface with EAP peer instead of EAPOL supplicant. Anyway,
> if you want to do this on top of the EAPOL state machine, you may need
> to add a new callback function for deriving and delivering the MSK. This
> can probably be done in a similar way to RSN pre-authentication (see
> preauth.c and rsn_preauth_eapol_cb() which gets called when EAPOL
> authentication has been completed and it uses eapol_sm_get_key() to get
> the MSK).
>
> --
> Jouni Malinen PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080414/7bdafbb2/attachment.htm
More information about the Hostap
mailing list