Re: 802.1x Problems


From: Lei chuanhua (ch_lei_at_powermatic.com.sg)
Date: 2002-10-11 11:06:43 UTC


Thanks Caron and Jouni,

     You make me understand very clearly about 802.1x implementation using per-client key or keymapping method. However, I have asked agere system technical manager and he said that their AP 2000(now belongs to proxim) indeed always used the same key. He confirmed that agere cards/ orinoco cards don't support keymapping or host-encryption. Now I have another question.
     If Orinoco used the two methods you described, it should be difficult to implement 802.1x using orinoco cards. However, they indeed implemented 802.1x long time ago.
    Method 1(key pair), at the end of authentication success, AS sever will send a key pair to AP and station. AP will encrypt its WEP keys with key pair from AS server, at the same time, it will keep the encrypted WEP key in its station list(Hostap should be this case). Apparently, every station should have a different key.     Method 2 (Cisco??) Even if AP and station both use the key that AS server sent, however every station should also have a different key.     The fact is that AP 2000 can only send the same key. How can Orinoco implement 802.1x in AP 2000? It should be contradictory.     I can't understand why AP2000 can implenment 802.1x if their technical manager told me the truth.     I hope that I can get some lights from you in principle at least.
     Thanks once time.
                                   hualab 

On Thu, Oct 10, 2002 at 09:18:18AM +0200, Jacques Caron wrote:

>> This is one option, but it is also possible for the AP (and client) to use
>> the session key derived from the EAP method directly. This is indicated by
>> an empty key field in the EAPOL-Key message. Cisco APs for instance use
>> that key as unicast key, and send the encrypted broadcast key (either
>> station or generated in case of broadcast key rotation).

Yes, that's true. I had already forgotten that option since I implemented only the method in which the AP generates the keys. Adding support for this AS-generated key use would be simple, so I might add it as an option. I would prefer the option in which AP takes care of WEP keys, but using AS-generated keys might be useful for AP devices that do not have any reliable source for generating random numbers.

--

Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.