17.12. EAP PAX Previous topic Parent topic Child topic Next topic

EAP PAX provides strong encryption and mutual authentication between supplicant and server based on a per-user Authentication Key (AK). It is described in RFC 4746. Based on the per-user AK, the server and supplicant derive strong cryptographic keys and authenticate each others knowledge of the AK. The derived keys can be used for dynamic WEP and WPA keys.
The AK is required to be configured into the per-user data in the Radiator user database, and also into each user’s EAP-PAX supplicant configuration. The AK is required to be 16 bytes. It can be specified in a Radiator user database as 32 hex digits:
pskuser     User-Password=1234567890123456789012345678901
EAP PAX can be used with any Radiator user database that supports a plaintext User- Password. Requires Crypt::Rijndael and Digest::HMAC_SHA1. Both are part of CPAN. For more information, see Section 2.1.2. CPAN.