Srinu Bandari wrote: > EAP key identifier must be sent as a part of Access-Accept message in EAP > Key-Name AVP (Radius Attribute Type 102).
Sure. But it's been hard to find out what is put *into* it. That link has been missing. > This what Cisco Documentation states: > > "The switch has no visibility into the details of the EAP session between the > supplicant and the authentication server, so it cannot derive the MSK or the > CAK directly. Instead, the switch receives the CAK from the authentication > server in the Access-Accept message at the end of the IEEE 802.1X > authentication. The CAK is delivered in the RADIUS vendor-specific attributes > (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the > authentication server sends an EAP key identifier that is derived from the > EAP exchange and is delivered to the authenticator in the EAP Key-Name > attribute of the Access-Accept message." > > From 802.1X: > The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC > 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) > used to convey the EAP Session-Id OK. > So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute > Type 102) part of Access-Accept message. That's not clear to me from the above description. But if it works... We'll be releasing 2.2.1 shortly. I think this change can go into it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html