EAP PAX provides strong encryption and mutual authentication
between supplicant and server based on a per-user Authentication Key (AK).
It is described in RFC 4746. Based on the per-user AK, the server and
supplicant derive strong cryptographic keys and authenticate each others
knowledge of the AK. The derived keys can be used for dynamic WEP and WPA
keys.
The AK is required to be configured into the per-user data in
the Radiator user database, and also into each user’s EAP-PAX supplicant
configuration. The AK is required to be 16 bytes. It can be specified in a
Radiator user database as 32 hex digits:
pskuser User-Password=1234567890123456789012345678901
EAP
PAX can be used with any Radiator user database that supports a plaintext
User-Password
.