hi Klaus Heck wrote:
Did I get this right? FreeRADIUS does send a dynamically created MPPE key once the authentication is performed. But there's no dynamic
yes, if you use EAP/TLS.
well, yes and no: actually, rekeying should be done between the supplicant and the AP since only those two support the actual cryptosuite, namely WEP if we are talking about 802.11.re-keying after certain time spans. Is that correct? And how hard is it to implement it, say with configurable time intervals?
so, it's more the function of your AP.
the auth server (AS) like freeradius shouldn't change the keys at the AP without supplicant beeing involved, since this risks to provoke key desynchronization. on the other side, the AS never contacts the supplicant from itself.
so basically, the supplicant has to contact the AS after some period of time. that's possible to do whenever you want, if the supplicant supports it. the radius server will reply with an usual Accept-Accept with all the MPPE stuff in it. other possibility to do this is by using Radius-attribute "Session-Timeout" (or something like that). In this manner, the AP (radius-client) will close the session after this time has elapsed and the supplicant will have to re-authenticate. this however is very likely to cut any open connections.
ciao
artur
--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
