EAP PSK provides strong encryption and mutual authentication
between supplicant and server based on a per-user Pre-Shared-Key (PSK). It
is described in RFC 4764. Based on the per-user PSK, the server and
supplicant derive strong cryptographic keys and authenticate each others
knowledge of the PSK. The derived keys can be used for dynamic WEP and WPA
keys.
The PSK is required to be configured into the per-user data in
the Radiator user database, and also into each user’s EAP-PSK supplicant
configuration. The PSK is required to be 16 bytes. It can be specified in
a Radiator user database as 32 hex digits:
pskuser User-Password=1234567890123456789012345678901
If
the User-Password does not appear to be 32 hex digits, it will be regarded
as a plaintext password, and will be converted into a PSK using the
algorithm described in RFC 4764. The conversion to a PSK depends on the
plaintext password and the server and supplicant IDs. Use of such
plaintext passwords is discouraged by RFC 4764 (because the PSK then
becomes vulnerable to dictionary attacks) and is not supported by all EAP
PSK supplicants. We also discourage use of such plaintext
passwords.
EAP PSK can be used with any Radiator user database that
supports a plaintext
User-Password
. Requires
Crypt::Rijndael
. For more information, see
Section 2.1.2. CPAN.