Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2308
Views
0
Helpful
1
Replies

Use of EAP-Key-Name attribute

Go to solution
umahar
Cisco Employee
Cisco Employee

‎02-21-2018 12:18 PM

Hi Experts,

How does ISE use the AVP EAP-Key-Name sent by the switch ?

image.png

Its explained here here that it contains EAP-Session-ID. Does ISE use this to track EAP sessions ? I've seen various packet captures but this field is never populated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-21-2018 12:53 PM

It does not appear used.

Section 5.9. Key Naming in RFC 5247 - Extensible Authentication Protocol (EAP) Key Management Framework

states,

...
Existing AAA server implementations do not distribute key names along
  with the transported keying material. However, Diameter EAP  [RFC4072] Section 4.1.4 defines the EAP-Key-Name AVP for the purpose  of transporting the EAP Session-Id. Since the EAP-Key-Name AVP is  defined within the RADIUS attribute space, it can be used either with  RADIUS or Diameter.
  Since the authenticator is not provided with the name of the  transported keying material by existing backend authentication server  implementations, existing Secure Association Protocols do not utilize  EAP key names. For example, [IEEE-802.11] supports PMK caching; to  enable the peer and authenticator to determine the cached PMK to  utilize within the 4-way handshake, the PMK needs to be named. For  this purpose, [IEEE-802.11] utilizes a PMK naming scheme that is  based on the key. Since IKEv2 [RFC4306] does not cache transported  keying material, it does not need to refer to transported keying  material.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-21-2018 12:53 PM

It does not appear used.

Section 5.9. Key Naming in RFC 5247 - Extensible Authentication Protocol (EAP) Key Management Framework

states,

...
Existing AAA server implementations do not distribute key names along
  with the transported keying material. However, Diameter EAP  [RFC4072] Section 4.1.4 defines the EAP-Key-Name AVP for the purpose  of transporting the EAP Session-Id. Since the EAP-Key-Name AVP is  defined within the RADIUS attribute space, it can be used either with  RADIUS or Diameter.
  Since the authenticator is not provided with the name of the  transported keying material by existing backend authentication server  implementations, existing Secure Association Protocols do not utilize  EAP key names. For example, [IEEE-802.11] supports PMK caching; to  enable the peer and authenticator to determine the cached PMK to  utilize within the 4-way handshake, the PMK needs to be named. For  this purpose, [IEEE-802.11] utilizes a PMK naming scheme that is  based on the key. Since IKEv2 [RFC4306] does not cache transported  keying material, it does not need to refer to transported keying  material.
0 Helpful
Customers Also Viewed These Support Documents