How to catch the MSK (Master Session Key) from Wpa_supplicant?

Jouni Malinen j
Mon Apr 14 10:24:11 PDT 2008


On Sun, Apr 13, 2008 at 11:10:01AM -0300, Douglas Diniz wrote:

> Well, I have here a WiMax setup, where the Bs (Base Station) must
> authenticate the SS (Subscriber Station). The second computer in my example
> is the Bs, and the third is SS. So, i have a freeradius connected to the Bs,
> and wpa supplicant connected to the SS.

What is the interface between the third and fourth computers in this
case? Is that defined in some standard or is it something specific for
this particular setup? Is this something for a small test setup or is
this aimed at longer term production use?

WiMax does not use IEEE 802.1X (EAPOL frames), so I would assume you
have some type of translation mechanism between wpa_supplicant (on the
fourth computer) and SS. In general, that is unlikely to be the cleanest
way of supporting WiMax authentication with wpa_supplicant, but since I
do not know the details of the design you have between third and fourth
computers, it is unclear to me whether there would be a better way for
this particular case.

> I already have an encryption framework done, so after authentication I must
> send the MSK to Bs and SS (not over air between BS and SS) and this
> framework handle the encryptation for me in the next phase.
> From the Bs side everything is ok, because freeradius send the Msk to BS.
> The problem is to make the SS receive the Msk from wpa supplicant.

Have you changed wpa_supplicant for other details of the system or is
everything else taken care with some kind of translation service for the
EAPOL frames? Since WiMax does not use EAPOL, it would probably be
better to interface with EAP peer instead of EAPOL supplicant. Anyway,
if you want to do this on top of the EAPOL state machine, you may need
to add a new callback function for deriving and delivering the MSK. This
can probably be done in a similar way to RSN pre-authentication (see
preauth.c and rsn_preauth_eapol_cb() which gets called when EAPOL
authentication has been completed and it uses eapol_sm_get_key() to get
the MSK).

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list