EAP-PSK =========== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PSK?** EAP-PSK stands for *Extensible Authentication Protocol - Pre-Shared Key*. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PSK?** EAP-PSK is an authentication method for EAP that uses a symmetric pre-shared key for mutual authentication between client and server without requiring certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PSK useful?** * Simpler to deploy — no need for certificate infrastructure. * Provides mutual authentication and session key derivation. * Useful in constrained environments (e.g., IoT, embedded systems). * Lightweight and secure (when used with strong PSKs). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Both client and server share a pre-established key. * EAP-PSK defines a 4-phase handshake: 1. Identity exchange. 2. Exchange of nonces and mutual authentication using the PSK. 3. Key derivation and confirmation. 4. Success notification. * Protects against replay and man-in-the-middle attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PSK used?** * IoT devices and constrained networks. * Environments where certificate management is not feasible. * Secure wireless or VPN authentication where simplicity is key. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Operates at the Application Layer (Layer 7). * Encapsulated within EAP, which is carried over lower layers like EAPOL or RADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PSK Windows specific?** * No, it is not Windows-specific. * It can be implemented on any OS that supports EAP frameworks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PSK Linux Specific?** * No, EAP-PSK is not Linux-specific. * It is available across platforms, although not always supported by default in some supplicants. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PSK?** * Transported via EAP over LAN (EAPOL), RADIUS, or other EAP-capable transports. * Backend communication often uses UDP (RADIUS) or TCP (Diameter). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PSK?** * Uses standard RADIUS ports: * UDP 1812 (Authentication) * UDP 1813 (Accounting) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PSK using Client server model?** * Yes, it uses a client-server architecture: * Client: Supplicant * Server: RADIUS or EAP-compliant authentication server .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PSK protocol uses certificates?** * No. * It uses symmetric keys (pre-shared) instead of digital certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PSK protocol?** * Typically involves 4 main EAP message exchanges. * Additional EAPOL or RADIUS messages may be included depending on infrastructure. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PSK Protocol uses client certificates?** * No, it does not use client certificates. * Authentication relies solely on the pre-shared key. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PSK Protocol uses Server Certificates?** * No. * No certificates are used on either side. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PSK Protocol depends on TCP?** * No, EAP-PSK itself does not require TCP. * Backend communication (e.g., Diameter) might use TCP, but EAP-PSK is agnostic. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PSK Protocol depends on UDP?** * Yes, commonly. * When transported via RADIUS, EAP-PSK relies on UDP 1812. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PSK Protocol?** * Supplicant (Client device) * Authenticator (e.g., access point or switch) * Authentication Server (e.g., FreeRADIUS) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PSK Protocol work with FreeRADIUS server on Linux?** * Yes, FreeRADIUS supports EAP-PSK. * Requires proper module configuration and key management. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PSK Protocol work with Internal radius server of hostapd?** * No, hostapd's internal server does not support EAP-PSK. * You need an external RADIUS server like FreeRADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-PSK Protocol?** * EAP-PSK is defined in **RFC 4764**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** * EAPOL packets themselves are not encrypted. * However, key material exchanged via EAP-PSK is protected using cryptographic primitives like AES-128. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-PSK Protocol?** * **Stage 1:** EAP-Request/Identity → EAP-Response/Identity * **Stage 2:** Server sends random challenge (RAND_S) * **Stage 3:** Client responds with RAND_P, MAC_P * **Stage 4:** Server verifies MAC_P and sends MAC_S * **Stage 5:** Session key is derived and Success sent .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * A shared Master Session Key (MSK) is generated for securing subsequent communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** * The MSK is 64 bytes (512 bits), derived from the pre-shared key and exchanged nonces. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** * PMK is derived from the MSK and used in WPA2/WPA3 enterprise mode. * It helps generate encryption keys like PTK for data protection. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PSK Version&IEEE Details ` * :ref:`EAP_PSK FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PSK FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PSK Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up AP ` * :ref:`STEP 2: Bring up STA ` * :ref:`EAP_PSK Protocol Packet Details ` * :ref:`EAP_PSK Usecases ` * :ref:`EAP_PSK Basic Features ` * :ref:`Reference links ` .. _EAP_PSK_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PSK_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PSK_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PSK_step5: .. tab-set:: .. tab-item:: EAP_PSK Version&RFC Details * rfc details .. _EAP_PSK_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) .. _EAP_PSK_step21: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PSK/eap_psk_ap_hostapd.csv :class: tight-table .. _EAP_PSK_step22: .. tab-set:: .. tab-item:: STEP 2: Bring up STA .. csv-table:: :file: ./EAP_PSK/eap_psk_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PSK ` .. _EAP_PSK_step19: .. tab-set:: .. tab-item:: EAP_PSK FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PSK_step18: .. tab-set:: .. tab-item:: EAP_PSK FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PSK_step6: .. tab-set:: .. tab-item:: EAP_PSK Protocol Packet Details * packet details .. _EAP_PSK_step7: .. tab-set:: .. tab-item:: EAP_PSK Usecases * usecases .. _EAP_PSK_step8: .. tab-set:: .. tab-item:: EAP_PSK Basic Features * features .. _EAP_PSK_step17: .. tab-set:: .. tab-item:: Reference links * Reference links