eap Mailing List: RE: Re: EAP Key Binding

[Bernard Aboba (aboba]

> The centralized model encourages AC implementations to use one PMK
>for many different WTPs. This practice facilitates speedy transition
>by a station from one WTP to another WTP that is connected to the same
>AC without establishing a separate PMK.  However, this leaves the station
>in a difficult position.  The station cannot distinguish between
>a compromised PMK and one that is intentionally being shared. This
> issue must be resolved, but the resolution is beyond the scope of the
> CAPWAP working group.

Not only is it beyond the scope of the CAPWAP WG, but it's beyond the EAP
WG scope, too.  For the purposes of EAP and AAA, the key is provided to a
given NAS, no matter how many ports it has.  The way to fix this is to
have the authenticator advertise the NAS-ID and confirm this securely
between the peer and authenticator in the Secure Association Protocol (and
perhaps between the EAP peer and server too, via channel bindings).  EAP
and AAA already enable this, so it's up to the lower layer to implement it
correctly.

> So, the issue is about binding PMK to NAS ports (WTPs in this case).
> Unless the NAS explicitly informs the host about the list of ports, how
> can this be handled? I think this is an issue for the EAP lower layer to
> handle.

The NAS doesn't have to inform the host of the list of ports, it just has
to provide the host with the same NAS-ID that it provides to the AAA
server.  You are correct that it is a lower layer issue.