7

I'm in the process of implementing 802.1x WPA2 Enterprise Authentication using FreeRadius and EAP-TLS (Mutual TLS Cert Based Auth).

I am keen to understand how to actual protocols work together and how they keep our WiFi network safe.

I understand the basics of Cert-based auth, using pub/priv keys. I also know that in regular HTTPS, a session key is created by the client, and sent to the server, however EAP-TLS doesn't seem to work like this.

I am looking at this diagram: http://tldp.org/HOWTO/8021X-HOWTO/images/8021X-KeyManagement.png

My understanding (after reading the above diagram) is that after TLS auth is successful, the FreeRadius server will generate a Master Key, and then derive a Pairwise Master Key (PMK). It will then somehow send the PMK to both the Client Supplicant and the Access Point, and then they will use the PMK to generate other session keys to encrypt the actual data.

However, after doing some tcpdumps on both my laptop and the FreeRadius server, I do not see any keys being sent or received, apart from the following.... In the capture from the Freeradius server, inside the final Access-Accept packet being sent to the AP, I see MPPE-Send and MPPE-Recv keys, which is weird, as I'm not using MSCHAPv2.....

On the client (laptop) side capture, I do not see anything between the final EAP Success (That is basically empty), and the start of the 4-way WPA2 handshake (at which point the PMK must be known)

enter image description here

So my question is, where is the PMK being sent from FreeRadius to the AP and Client?

Thanks!

user140024
  • 71
  • 1
  • 2
  • The image you shared says that the PMK is derived from the MK, not sent, you just answered yourself. – Azteca Feb 21 '17 at 18:18
  • You are correct wrt the Client. Apparently, the PMK is sent to the AP, though. My question should really be, "Where is the MK sent to the client, and where is the PMK sent to the AP?". – user140024 Feb 21 '17 at 18:21
  • I think it's a problem of the diagram... the key is generated by both server and client from the certificates previously installed, and from this a tunnel is generated from the client to the server, made possible by the AP of course, but it's a tunnel, so the AP can't see any of this. – Azteca Feb 21 '17 at 18:25
  • And do you think the MK is sent to the client inside this tunnel? However, what about the PMK->AP? The AP needs to know the PMK so it can do data encryption – user140024 Feb 21 '17 at 18:33

2 Answers2

2

Here is another diagram from Layer3 Layer3 EAP-TLS diagram

So... the server sends it's certificate to the client to validate it's identity and the client also does the same, after this comes any other inner authentication protocol if required.

The MSK (Master session key) is derived from the TLS Master Secret via a one-way function. It is in this MSK that the PMK is generated.

The MSK is divided in half, the first half called Peer(STA/Client/Supplicant) to Authenticator Encryption Key (32 octets) is the PMK or Enc-RECV-Key and the second half is the Authenticator to Peer(STA/Client/Supplicant) Encryption Key (Also 32 octets) or Enc-SEND-Key.

Azteca
  • 1,116
  • 7
  • 16
  • Thank you, but I'm sorry, this does not answer my question. The "WPA Key Management" in the above diagram will only work if it knows the MK (thus able to derive the PMK), or if it has the PMK itself. The diagram does not address the issue of how does the AP get the PMK. – user140024 Feb 21 '17 at 18:47
  • @user140024 The MPPE-RECV is the PMK, let me edit the answer to add more detail. – Azteca Feb 21 '17 at 23:06
  • Thanks. This raises 2 questions for me: Why are the fields called MPPE (implying Microsoft), and secondly, how is this key sent securely to the Peer? I didn't see it come through in the tcpdump I took on the laptop. – user140024 Feb 22 '17 at 12:10
  • They're called MPPE because it's defined like that in it's [RFC2548](https://tools.ietf.org/html/rfc2548) and the key is not sent, I just said it's derived from the master_secret, which is exported by the EAP method. Try creating another question, or edit/reformulate your last question, this format of Q&A in the comments is not fit for the site. We're not helping anybody but you. – Azteca Feb 22 '17 at 17:34
1

The MK is generated from the password, done separately by the supplicant (client) and the Radius server.
Then PMK is derived by the Client and Radius server separately. The Radius server is sending the PMK over wire to the AP.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
user177701
  • 11
  • 1
  • Welcome to Information Security Stack Exchange! I have edited your answer. This may seem blunt, but on this site, we strive to have the highest possible signal-to-noise ratio. Everything that isn't related to the answer, is removed from the answer. This may feel a little weird, but you'll get used to it. Welcome to the site, and enjoy your stay! – S.L. Barth May 09 '18 at 09:52
  • I read that MK generated from TLS Master Key. – eri Feb 16 '20 at 23:01