17.13. EAP PSK Previous topic Parent topic Child topic Next topic

EAP PSK provides strong encryption and mutual authentication between supplicant and server based on a per-user Pre-Shared-Key (PSK). It is described in RFC 4764. Based on the per-user PSK, the server and supplicant derive strong cryptographic keys and authenticate each others knowledge of the PSK. The derived keys can be used for dynamic WEP and WPA keys.
The PSK is required to be configured into the per-user data in the Radiator user database, and also into each user’s EAP-PSK supplicant configuration. The PSK is required to be 16 bytes. It can be specified in a Radiator user database as 32 hex digits:
pskuser     User-Password=1234567890123456789012345678901
If the User-Password does not appear to be 32 hex digits, it will be regarded as a plaintext password, and will be converted into a PSK using the algorithm described in RFC 4764. The conversion to a PSK depends on the plaintext password and the server and supplicant IDs. Use of such plaintext passwords is discouraged by RFC 4764 (because the PSK then becomes vulnerable to dictionary attacks) and is not supported by all EAP PSK supplicants. We also discourage use of such plaintext passwords.
EAP PSK can be used with any Radiator user database that supports a plaintext User- Password. Requires Crypt::Rijndael and Digest::HMAC_SHA1. Both are part of CPAN. For more information, see Section 2.1.2. CPAN.