I know that you can recover the authentication password used with LEAP using the asleap program. However, once you recover that, how do you recover the Pairwise Master Key (PMK) for the WPA encryption?

In my research, I can tell when the PMK is delivered to the AP from the RADIUS server, but when is the PMK delivered to the client?

Does asleap only give you a username and password so that an attacker could join the network or can an attacker continue the attack to be able to decrypt traffic on that session.

Thanks for the assistance.

-David