RADIUS attribute from rfc4072
EAP-Key-Name
The EAP-Key-Name Attribute, defined in "Diameter Extensible
Authentication Protocol (EAP) Application" , contains the
EAP Session-Id, as described in "Extensible Authentication
Protocol (EAP) Key Management Framework" . Exactly how
this attribute is used depends on the link layer in question.
It should be noted that not all link layers use this name. An
EAP-Key-Name Attribute MAY be included within Access-Request,
Access-Accept, and CoA-Request packets. A summary of the EAP-Key-
Name Attribute format is shown below. The fields are transmitted
from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
102 Length
>=3
String
The String field is one or more octets, containing the EAP
Session-Id, as defined in "Extensible Authentication Protocol
(EAP) Key Management Framework" . Since the NAS operates
as a pass-through in EAP, it cannot know the EAP Session-Id before
receiving it from the RADIUS server. As a result, an EAP-Key-Name
Attribute sent in an Access-Request MUST only contain a single NUL
character. A RADIUS server receiving an Access-Request with an
EAP-Key-Name Attribute containing anything other than a single NUL
character MUST silently discard the attribute. In addition, the
RADIUS server SHOULD include this attribute in an Access-Accept or
CoA-Request only if an EAP-Key-Name Attribute was present in the
Access-Request. Since a NAS will typically only include an EAP-
Key-Name Attribute in an Access-Request in situations where the
attribute is required to provision service, if an EAP-Key-Name
Attribute is included in an Access-Request but is not present in
the Access-Accept, the NAS SHOULD treat the Access-Accept as
though it were an Access-Reject. If an EAP-Key-Name Attribute was
not present in the Access-Request but is included in the Access-
Accept, then the NAS SHOULD silently discard the EAP-Key-Name
Attribute. As noted in Section 6.2.2 of , the
Connectivity Association Key Name (CKN) is derived from the EAP
Session-Id, and, as described in Section 9.3.3 of ,
the CKN is subsequently used in the derivation of the Key
Encrypting Key (KEK) and the Integrity Check Value Key (ICK),
which protect the Secure Association Keys (SAKs) utilized by Media
Access Control Security (MACsec). As a result, for the NAS to
acquire information needed in the MACsec Key Agreement (MKA)
exchange, it needs to include the EAP-Key-Name Attribute in the
Access-Request and receive it from the RADIUS server in the
Access-Accept.