Skip to content

Enterprise Family (AKM 1, 3, 5, 11-13, 22, 23)

Enterprise AKMs use the IEEE 802.1X framework to authenticate stations through an EAP exchange with a backend RADIUS server. The PMK is derived from the EAP Master Session Key, not from a passphrase.

Overview

In Enterprise mode, the AP acts as an authenticator that relays EAP frames between the supplicant (STA) and the authentication server (RADIUS). The EAP method (EAP-TLS, PEAP, EAP-TTLS, LEAP, etc.) determines the actual authentication mechanism. Upon success, both RADIUS and STA derive a Master Session Key (MSK), from which the PMK is extracted.

EAP Authentication Flow

sequenceDiagram
    participant STA as STA (Supplicant)
    participant AP as AP (Authenticator)
    participant RS as RADIUS Server

    STA->>AP: EAPOL-Start
    AP->>STA: EAP-Request/Identity
    STA->>AP: EAP-Response/Identity (username)
    AP->>RS: RADIUS Access-Request (EAP-Response)
    Note over STA,RS: EAP method exchange (TLS handshake or challenge/response)
    RS->>AP: RADIUS Access-Accept + MSK
    AP->>STA: EAP-Success
    Note over AP,STA: 4-Way Handshake using PMK derived from MSK

PMK Derivation from MSK

After a successful EAP exchange, the RADIUS server sends the MSK to the AP via RADIUS Access-Accept (MPPE keys attribute). Both the STA and the server independently derive the same MSK from the EAP exchange.

PMK = MSK[0:32]     -- for AKM 1, 3, 5, 11 (SHA-256 suites)
PMK = MSK[0:48]     -- for AKM 12, 13, 22, 23 (SHA-384 suites, 384-bit PMK)

The MSK is typically 512 bits (64 bytes). Only the first 256 or 384 bits are used as the PMK, depending on the AKM suite. The rest of the MSK may be used as an Extended Master Session Key (EMSK) for other purposes.

After PMK derivation, the 4-way handshake proceeds identically to PSK mode using the PMK derived from the EAP exchange.

AKM Groupings

SHA-1: AKM 1

Original 802.1X AKM from 802.11i-2004. Uses HMAC-SHA1-based PRF for PTK derivation (same PRF as AKM 2). MIC uses HMAC-MD5 (kv1) or HMAC-SHA1-128 (kv2) depending on the cipher suite.

FT-802.1X: AKM 3

Adds Fast Transition to AKM 1, enabling fast roaming in enterprise deployments. Uses the FT key hierarchy (PMK-R0 / PMK-R1) with KDF-SHA-256. The R0 key holder role is filled by the RADIUS server or a dedicated FT infrastructure component (R0KH).

SHA-256: AKM 5

SHA-256 upgrade of AKM 1 from 802.11w-2009 (Management Frame Protection). KDF-SHA-256 for PTK derivation. MIC uses AES-128-CMAC (keyver 3).

Suite B (SHA-256): AKM 11

AKM 11 targets the 128-bit security level. Same KDF-SHA-256 as AKM 5. Mandates GCMP-128 (AES-128-GCM) for data frames and BIP-GMAC-128 for management frame protection per Table 9-190.

Suite B (SHA-384): AKM 12, 13

AKM 12 targets the 192-bit security level with SHA-384-based KDF. Key sizes: KCK = 192 bits, KEK = 256 bits, TK = 256 bits. MIC uses HMAC-SHA-384 (truncated to 192 bits / 24 octets, keyver 0 = AKM-defined).

Mandates AES-256-GCM or AES-256-CCM cipher suites. AKM 13 adds FT to AKM 12.

802.11-2024 Extensions: AKM 22, 23

AKM 22 adds FT to the SHA-384 enterprise suite, equivalent to AKM 13 but defined under the 802.11-2024 revision. AKM 23 is the non-FT SHA-384 enterprise AKM, equivalent to AKM 12. These were introduced to align with CNSA (Commercial National Security Algorithm Suite) 2.0 requirements.

Suite B Compliance

Suite B (now CNSA, Commercial National Security Algorithm Suite) defines minimum cryptographic requirements for government and high-security networks:

Suite Security level AKMs Cipher PRF/KDF
Suite B-128 128-bit 11 GCMP-128 SHA-256
Suite B-192 (CNSA) 192-bit 12, 13, 22, 23 AES-256-GCM SHA-384

CNSA-compliant deployments require AKM 12/13 or 22/23 with GCMP-256 cipher suite and P-384 or RSA-3072+ certificates for EAP-TLS.

EAP Method Selection

The choice of EAP inner method determines whether credentials are crackable:

EAP method Transport Inner auth Offline crackable? hashcat mode
EAP-TLS TLS 1.2+ Certificates No N/A
PEAP/MSCHAPv2 TLS tunnel NTHash challenge Yes (rogue AP needed) 5500
EAP-TTLS/PAP TLS tunnel Plaintext password No hash to crack N/A
EAP-TTLS/MSCHAPv2 TLS tunnel NTHash challenge Yes (rogue AP needed) 5500
EAP-FAST TLS tunnel Varies Method-dependent N/A
LEAP None (cleartext) MS-CHAPv1 Yes (passive capture) 5500
EAP-MD5 None (cleartext) MD5-Challenge Yes (passive capture) 4800

The WPA handshake (4-way) itself is not crackable for Enterprise AKMs; the PMK is derived from the MSK, not from a password exposed in the frame exchange. Attacks target the EAP inner method credentials, not the 802.11 key derivation.

Spec References

  • 802.1X framework: IEEE 802.1X-2020
  • Enterprise PMK derivation: 802.11-2024 §12.7.1.3
  • EAP base protocol: RFC 3748
  • PEAP: draft-josefsson-pppext-eap-tls-eap (PEAPv0/v1)
  • MSCHAPv2: RFC 2759
  • AKM selectors: Table 9-190
  • Key sizes: Table 12-8 (TK), Table 12-11 (KCK/KEK)