No subject

bogus at does.not.exist.com bogus at does.not.exist.com
Mon Mar 31 13:47:40 PDT 2008


The problem is to make the SS receive the Msk from wpa supplicant.

I'll see the code as you suggested.

Any comments are welcome.

Thanks.

On Sun, Apr 13, 2008 at 7:01 AM, Jouni Malinen <j at w1.fi> wrote:

> On Sat, Apr 12, 2008 at 12:43:21PM -0300, Douglas Diniz wrote:
>
> > I have four computers. At the first computer I have the Freeradius
> server.
> > The second computer is connected to freeradius by ethernet, and this
> > computer has Hostap. The third computer is connected with hostap by
> wireless
> > and only pass through the packets to and from the fourth computer, where
> is
> > the wpa supplicant.
>
> I'm not completely sure what you are referring to with "hostap" here.
> The Host AP driver? hostapd?
>
> > I'm using TTLS/MSCHAPv2 to authenticate, and everything is ok. After
> > authentication, the freeradius send the msk to hostap within the
> > access-accept. The problem is that i need to configure the wpa
> supplicant to
> > send the msk to the third computer, because the second and third
> computers
> > will use the msk in the next phase of my setup.
>
> What would be the next phase here? It sounds like you are splitting the
> client functionality into two separate devices. However, if you are
> using normal IEEE 802.1X or WPA encryption, the "next phase" would
> likely be key derivation/configuration for data frame encryption and
> this could be done between the authenticator and wpa_supplicant. The end
> result of this would be the encryption keys for data frames, not MSK. If
> you are doing something more than just splitting the client
> functionality, please describe what you are going to be doing with MSK
> on the third computer.
>
> > This is possible? Wpa supplicant can send the msk? If dont, there is
> another
> > supplicant that can do that?
>
> This is not standard functionality, so you would likely need to change
> something in the source code. Unless you really need MSK separated, I
> would first consider configuring the data encryption keys instead of
> exporting MSK. Anyway, the cleanest way of doing this would likely be to
> implement a custom driver wrapper for this type of split functionality.
> Instead of configuring a local kernel driver, this wrapper would send
> the commands to the external device ("third computer" in your example).
>
> The set_key() handler in struct wpa_driver_ops would need to send the
> key(s). In the current 0.6.x branch, there is option for the driver
> wrapper to configure PMK to the driver (this would be MSK in case of
> WPA-Enterprise) if the driver wrapper specifies
> WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in the capabilities (flags field).
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>

------=_Part_17693_12045673.1208095801854
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi, thanks for you reply.<br><br>(The hostap in my example works as a pass through authenticator).<br><br>Well, I have here a WiMax setup, where the Bs (Base Station) must authenticate the SS (Subscriber Station). The second computer in my example is the Bs, and the third is SS. So, i have a freeradius connected to the Bs, and wpa supplicant connected to the SS.<br>
I already have an encryption framework done, so after authentication I must send the MSK to Bs and SS (not over air between BS and SS) and this framework handle the encryptation for me in the next phase. <br>From the Bs side everything is ok, because freeradius send the Msk to BS. The problem is to make the SS receive the Msk from wpa supplicant.<br>
<br>I'll see the code as you suggested.<br><br>Any comments are welcome.<br><br>Thanks.<br><br><div class="gmail_quote">On Sun, Apr 13, 2008 at 7:01 AM, Jouni Malinen <<a href="mailto:j at w1.fi">j at w1.fi</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Sat, Apr 12, 2008 at 12:43:21PM -0300, Douglas Diniz wrote:<br>
<br>
> I have four computers. At the first computer I have the Freeradius server.<br>
> The second computer is connected to freeradius by ethernet, and this<br>
> computer has Hostap. The third computer is connected with hostap by wireless<br>
> and only pass through the packets to and from the fourth computer, where is<br>
> the wpa supplicant.<br>
<br>
</div>I'm not completely sure what you are referring to with "hostap" here.<br>
The Host AP driver? hostapd?<br>
<div class="Ih2E3d"><br>
> I'm using TTLS/MSCHAPv2 to authenticate, and everything is ok. After<br>
> authentication, the freeradius send the msk to hostap within the<br>
> access-accept. The problem is that i need to configure the wpa supplicant to<br>
> send the msk to the third computer, because the second and third computers<br>
> will use the msk in the next phase of my setup.<br>
<br>
</div>What would be the next phase here? It sounds like you are splitting the<br>
client functionality into two separate devices. However, if you are<br>
using normal IEEE 802.1X or WPA encryption, the "next phase" would<br>
likely be key derivation/configuration for data frame encryption and<br>
this could be done between the authenticator and wpa_supplicant. The end<br>
result of this would be the encryption keys for data frames, not MSK. If<br>
you are doing something more than just splitting the client<br>
functionality, please describe what you are going to be doing with MSK<br>
on the third computer.<br>
<div class="Ih2E3d"><br>
> This is possible? Wpa supplicant can send the msk? If dont, there is another<br>
> supplicant that can do that?<br>
<br>
</div>This is not standard functionality, so you would likely need to change<br>
something in the source code. Unless you really need MSK separated, I<br>
would first consider configuring the data encryption keys instead of<br>
exporting MSK. Anyway, the cleanest way of doing this would likely be to<br>
implement a custom driver wrapper for this type of split functionality.<br>
Instead of configuring a local kernel driver, this wrapper would send<br>
the commands to the external device ("third computer" in your example).<br>
<br>
The set_key() handler in struct wpa_driver_ops would need to send the<br>
key(s). In the current 0.6.x branch, there is option for the driver<br>
wrapper to configure PMK to the driver (this would be MSK in case of<br>
WPA-Enterprise) if the driver wrapper specifies<br>
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in the capabilities (flags field).<br>
<font color="#888888"><br>
--<br>
Jouni Malinen                                            PGP id EFC895FA<br>
_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP at lists.shmoo.com">HostAP at lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</font></blockquote></div><br>

------=_Part_17693_12045673.1208095801854--



More information about the Hostap mailing list