RADIUS attribute from rfc4072


The EAP-Key-Name Attribute, defined in "Diameter Extensible
      Authentication Protocol (EAP) Application" , contains the
      EAP Session-Id, as described in "Extensible Authentication
      Protocol (EAP) Key Management Framework" .  Exactly how
      this attribute is used depends on the link layer in question.

      It should be noted that not all link layers use this name.  An
      EAP-Key-Name Attribute MAY be included within Access-Request,
      Access-Accept, and CoA-Request packets.  A summary of the EAP-Key-
      Name Attribute format is shown below.  The fields are transmitted
      from left to right.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |     Type      |  Length       |          String...


      102 Length



      The String field is one or more octets, containing the EAP
      Session-Id, as defined in "Extensible Authentication Protocol
      (EAP) Key Management Framework" .  Since the NAS operates
      as a pass-through in EAP, it cannot know the EAP Session-Id before
      receiving it from the RADIUS server.  As a result, an EAP-Key-Name
      Attribute sent in an Access-Request MUST only contain a single NUL
      character.  A RADIUS server receiving an Access-Request with an
      EAP-Key-Name Attribute containing anything other than a single NUL
      character MUST silently discard the attribute.  In addition, the
      RADIUS server SHOULD include this attribute in an Access-Accept or
      CoA-Request only if an EAP-Key-Name Attribute was present in the
      Access-Request.  Since a NAS will typically only include an EAP-
      Key-Name Attribute in an Access-Request in situations where the
      attribute is required to provision service, if an EAP-Key-Name
      Attribute is included in an Access-Request but is not present in
      the Access-Accept, the NAS SHOULD treat the Access-Accept as
      though it were an Access-Reject.  If an EAP-Key-Name Attribute was
      not present in the Access-Request but is included in the Access-
      Accept, then the NAS SHOULD silently discard the EAP-Key-Name
      Attribute.  As noted in Section 6.2.2 of , the
      Connectivity Association Key Name (CKN) is derived from the EAP
      Session-Id, and, as described in Section 9.3.3 of ,
      the CKN is subsequently used in the derivation of the Key
      Encrypting Key (KEK) and the Integrity Check Value Key (ICK),
      which protect the Secure Association Keys (SAKs) utilized by Media
      Access Control Security (MACsec).  As a result, for the NAS to
      acquire information needed in the MACsec Key Agreement (MKA)
      exchange, it needs to include the EAP-Key-Name Attribute in the
      Access-Request and receive it from the RADIUS server in the