How to catch the MSK (Master Session Key) from Wpa_supplicant?

Jouni Malinen j at w1.fi
Sun Apr 13 06:01:02 EDT 2008


On Sat, Apr 12, 2008 at 12:43:21PM -0300, Douglas Diniz wrote:

> I have four computers. At the first computer I have the Freeradius server.
> The second computer is connected to freeradius by ethernet, and this
> computer has Hostap. The third computer is connected with hostap by wireless
> and only pass through the packets to and from the fourth computer, where is
> the wpa supplicant.

I'm not completely sure what you are referring to with "hostap" here.
The Host AP driver? hostapd?

> I'm using TTLS/MSCHAPv2 to authenticate, and everything is ok. After
> authentication, the freeradius send the msk to hostap within the
> access-accept. The problem is that i need to configure the wpa supplicant to
> send the msk to the third computer, because the second and third computers
> will use the msk in the next phase of my setup.

What would be the next phase here? It sounds like you are splitting the
client functionality into two separate devices. However, if you are
using normal IEEE 802.1X or WPA encryption, the "next phase" would
likely be key derivation/configuration for data frame encryption and
this could be done between the authenticator and wpa_supplicant. The end
result of this would be the encryption keys for data frames, not MSK. If
you are doing something more than just splitting the client
functionality, please describe what you are going to be doing with MSK
on the third computer.

> This is possible? Wpa supplicant can send the msk? If dont, there is another
> supplicant that can do that?

This is not standard functionality, so you would likely need to change
something in the source code. Unless you really need MSK separated, I
would first consider configuring the data encryption keys instead of
exporting MSK. Anyway, the cleanest way of doing this would likely be to
implement a custom driver wrapper for this type of split functionality.
Instead of configuring a local kernel driver, this wrapper would send
the commands to the external device ("third computer" in your example).

The set_key() handler in struct wpa_driver_ops would need to send the
key(s). In the current 0.6.x branch, there is option for the driver
wrapper to configure PMK to the driver (this would be MSK in case of
WPA-Enterprise) if the driver wrapper specifies
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in the capabilities (flags field).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list