4-Way handshake in WPA-Enterprise?

[Der_Kanzler]

Hello folks!

I'd have a question regarding WPA Enterprise and the 4-way handshake.

I always thought that this handshake would be implemented in both WPA-PSK and WPA Enterprise, thus this classic WPA-PSK vulnerability where an attacker captures a handshake and performs a brute force attack would exist in WPA Enterprise aswell.

Now I researched a bit and I found a paper that explains the 802.11i standard quite detailed ... but I found no indicator that this handshake exists in WPA Enterprise. Instead I found the indication that the PTK is sent to the Client over the wireless network in a TLS tunnel (of whatever authentification is used)?

Is that correct? I'm just asking because it seems quite implausible to me why the PTK would be sent over the wireless network.

[Der_Kanzler]

Hello again,

sorry to bump this, but I meanwhile found out that there is indeed a 4-way handshake in WPA Enterprise. The PMK is only sent to the AP, not to the Client. The client generates the PMK through a shared secret between Client and RADIUS-Server ... and in the end there is the 4-way handshake to verify that Client and AP have the same PMK.

just saying this for the case anybody else has this question in the future...