How to catch the MSK (Master Session Key) from Wpa_supplicant?

Douglas Diniz dgdiniz
Tue Apr 15 11:32:37 PDT 2008


>OK. If you are only using fixed configuration (no user interaction
>during authentication) and do not use the double EAP mode defined in
>802.16e, this may be enough.

Yes, for now i'm using fixed configuration. I'm authenticating with TTLS/MD5
and TTLS/MSCHAPV2. The information for the second TTLS phase (MD5 /
MSCHAPv2) is fixed in the configuration files of wpa supplicant.

>I would describe option (1) a bit differently: integrate the EAP peer
> functionality from wpa_supplicant (not full wpa_supplicant) to SS since
> WiMax does not really use much of the other functionality from
> wpa_supplicant. Or well, the configuration parser could probably be
> shared, too.

Yes, exactly this. I'd need to "clean" the wpa supplicant from other
functionality.
This approach seem be more complex to do, then I stay with the second
option.

> I do not have good enough understanding of the particular project to say
> what would be best option here. I understand that option (2) may look
> like the easiest solution for this case. However, I'm looking this from
> a bit different view point since I would prefer to make sure that the
> interfaces in wpa_supplicant provide functionality that would fit well
> into any WiMax design in addition to 802.11-based solutions.

I only need wpa supplicant to authenticate and send me the msk. After the
success (or fail), the job of wpa supplicant is done. After that,  my Ss
software will handle all the subsequent phases.
The wpa supplicant dont need to know about wimax at all. It only create (and
manage) the eap packets for me.

> Anyway, I would suggest at least taking a quick look at the EAP peer
> example (use of EAP peer functionality from wpa_supplicant as a library
> for another program) that is available in the Git repository:
> http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree;f=eap_example;hb=HEAD
> I wrote this example especially with non-802.1X uses in mind and WiMax
> is mentioned as one example case. The example code includes minimal
> setup for using EAP peer functionality and this could be used linked
> together with rest of the SS software to implement PMK EAP.

I'll see this. Thanks.....

My Ss software already handle all the PKM stuff.

> Unfortunately, I do not have any WiMax hardware to play with, so I
> haven't experimented with what exactly would be needed in wpa_supplicant
> to make it fit well with WiMax design. The EAP peer example should work
> fine in this type of use, but it would also be interesting to see a more
> complete reference design for WiMax authentication to be added in the
> future.

Ok, Note that all the wimax protocol is already implemented in my software.
I have a massage (EAP_DATA in my software) where in send the eap packet as a
payload and the rest is already implemented. I only need to create the eap
packets, and i'm using wpa supplicant for that. The subsequent wimax stuff
is already done, as i said.

>I added Marcel to the cc list because he's poked around trying to get
>wpa_supplicant working with WiMAX and ran into some issues.  Would be
>good to get some dialog here so we can nail the issues, some of which
>stem from lack of flexibility in the D-Bus control interface.  That can
>be fixed, but what general supplicant issues were you having, Marcel,
>that you might want to make Jouni aware of?

Cool, any help is welcome. :-)

On 4/15/08, Dan Williams <dcbw at redhat.com> wrote:
>
> On Tue, 2008-04-15 at 20:25 +0300, Jouni Malinen wrote:
> > On Mon, Apr 14, 2008 at 04:45:54PM -0300, Douglas Diniz wrote:
> >
> > > The interface is very simple. I just receive a eap packet from SS
> software
> > > and send it to wpa supplicant. Just it. I only check the eap message
> to
> > > search for a eap success. If the message is a success I expect that
> the next
> > > message from wpa supplicant is the msk. I dont need any eap state
> machine
> > > here (I hope).
> >
> > OK. If you are only using fixed configuration (no user interaction
> > during authentication) and do not use the double EAP mode defined in
> > 802.16e, this may be enough.
> >
> > > I had two options:
> > >
> > > 1-) Incorporate the wpa supplicant to Ss software, creating a function
> > > interface to the Ss's software. This need a lot of time.
> > >
> > > 2-) Create this module to receive messages from SS and send to wpa
> > > supplicant.
> >
> > I would describe option (1) a bit differently: integrate the EAP peer
> > functionality from wpa_supplicant (not full wpa_supplicant) to SS since
> > WiMax does not really use much of the other functionality from
> > wpa_supplicant. Or well, the configuration parser could probably be
> > shared, too.
> >
> > > In fact i'm installing wpa supplicant in SS's host and send the
> messages
> > > over localhost. So, the interface is secure.
> > >
> > > In my place, what you would do?
> >
> > I do not have good enough understanding of the particular project to say
> > what would be best option here. I understand that option (2) may look
> > like the easiest solution for this case. However, I'm looking this from
> > a bit different view point since I would prefer to make sure that the
> > interfaces in wpa_supplicant provide functionality that would fit well
> > into any WiMax design in addition to 802.11-based solutions.
> >
> > Anyway, I would suggest at least taking a quick look at the EAP peer
> > example (use of EAP peer functionality from wpa_supplicant as a library
> > for another program) that is available in the Git repository:
> > http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree;f=eap_example;hb=HEAD
> >
> > I wrote this example especially with non-802.1X uses in mind and WiMax
> > is mentioned as one example case. The example code includes minimal
> > setup for using EAP peer functionality and this could be used linked
> > together with rest of the SS software to implement PMK EAP.
> >
> > Unfortunately, I do not have any WiMax hardware to play with, so I
> > haven't experimented with what exactly would be needed in wpa_supplicant
> > to make it fit well with WiMax design. The EAP peer example should work
> > fine in this type of use, but it would also be interesting to see a more
> > complete reference design for WiMax authentication to be added in the
> > future.
>
>
> I added Marcel to the cc list because he's poked around trying to get
> wpa_supplicant working with WiMAX and ran into some issues.  Would be
> good to get some dialog here so we can nail the issues, some of which
> stem from lack of flexibility in the D-Bus control interface.  That can
> be fixed, but what general supplicant issues were you having, Marcel,
> that you might want to make Jouni aware of?
>
>
> Dan
>
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080415/e805ab28/attachment-0001.htm 



More information about the Hostap mailing list