reply to jbibe
Re: Flow diagram: WPA Enterprise Thanks for the update. Can the supplicant not also derive the basic MK? I had thought this is the basic TLS session key based on the premaster secret and randoms. In Hacking Exposed Wireless (first edition) pg. 81, it's mentioned that for EAP-TLS the generated TLS session key is used as the PMK (which make sense since there's no additional "user auth").
Otherwise at exactly what point is the MK handed from the AS to the supplicant? The same book on pg. 206 mentions that the exact method to determine the PMK differ depending on the auth type, so perhaps this handover is at different points when comparing between EAP-TLS vs. PEAP, for example?
What does the "client EAP encryption" refer to exactly?
You are correct on the distribution of the MK. See the following document:
Pages 7, 9, and 43 imply that the AS and the Supplicant derive the MK.
Thanks again. I've updated the diagram (hopefully more accurate this time). Let me know if you see any other errors.
The diagram matches my present understanding.