From: Jacques Caron (Jacques.Caron_at_IPsector.com)
Date: 2002-10-10 07:18:18 UTC
At 06:13 10/10/2002, Jouni Malinen wrote:
>On Wed, Oct 09, 2002 at 07:17:43PM +0800, Lei chuanhua wrote:
> > 2. Unicast packets. 802.1x supplicant will be authenticated to
> radius server via AP. if success, supplicant will get one WEP key. At the
> same time, Radius server will send one same WEP key copy to AP. So if
> there are many 802.1x supplicants, AP will keep every supplicant WEP key
> for encryption and decryption. HostAP will do it easily because it use
> host encryption and can receive and transmit mulitple keys.
>Authentication server (usually RADIUS server) does not generate or send
>WEP keys. It sends a key pair both to station and AP. After this, AP
>generates the WEP keys and delivers the needed keys to the station
>encrypted with the keys from authentication server. Other than this
>detail, you description is correct.
This is one option, but it is also possible for the AP (and client) to use the session key derived from the EAP method directly. This is indicated by an empty key field in the EAPOL-Key message. Cisco APs for instance use that key as unicast key, and send the encrypted broadcast key (either station or generated in case of broadcast key rotation).
Whether this is a good idea or not and will stay like that or not might be open to debate, though (don't remember if 802.11i changed this).