How to catch the MSK (Master Session Key) from Wpa_supplicant?

Jouni Malinen j at
Mon Apr 14 14:24:59 EDT 2008

On Mon, Apr 14, 2008 at 02:57:41PM -0300, Douglas Diniz wrote:

> Between Freeradius and Bs, and wpa supplicant and Ss, the interface is
> ethernet. When Ss receive a eapol packet from wpa supplicant I send the raw
> eap packet as a payload inside a specific message that the Ss software will
> handle and send to Bs.
> When Bs receive this message, the Bs software will send this  raw eap
> payload to me, and I will send it to freeradius over a Radius Message.

This ethernet interface between SS and wpa_supplicant sounds vendor
specific design. Is that correct or is it based on some standard? I
don't know what resulted in that kind of design (i.e., separation of EAP
peer from SS into a separate device), but if that is indeed the best
choice for the product, use of EAPOL frames sounds like a suitable
mechanism here. This is just something that I would not have first
expected from a WiMax product ;-).

> At the end of authentication, I must use the Msk as I said. The Bs and Ss
> softwares are already implemented to process the Msk. My job finish when I
> send the msk to Bs and SS.
> The manufactor of the Bs/Ss software has this scenario implemented, and i'm
> in contact to discover how they send the msk to Bs/Ss.

OK. It sounds like the SS <-> supplicant interface is indeed vendor
specific and as such, so would be the MSK delivery mechanism. I'm
assuming the ethernet interface here is considered secure (e.g., it is
just using a cross-over cable inside the box and without any external
access). If not, the MSK delivery mechanism would need to be encrypted
with something..

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list