The animated TECHTip tutorial available here.

The AP [Access Point] uses a GK [Group Key] to send broadcast and multicast packets to all stations that are communicating with an access point or communicating within an IBSS. If no Pairwise Key has been set, a Group Key can also be used to send and receive unicast packets. The EAP Authentication type utilizes keys to provide key authentication before encryption occurs. The AS [Authentication Server] and Client (STAtion) each must possess mutually authenticated keys. To begin, the AS sends a PMK [Pairwise Master Key] (a large random number) as an authorization token. The PMK creates a subset of three additional keys called the PTK [Pairwise Transient Key]:

  1. KCK [Key Confirmation Key]: binds the PTK in the client and the AP to verify PMK.
  2. KEK [Key Encryption Key]: used to distribute GTK [Group Transient Key].
  3. TK [Temporal Key] secures data traffic.

Here are the steps in the process (see animation for details):

Step 1: Use RADIUS to send (push) PMK from AS to AP.

Step 2: Use PMK and 4-Way Handshake to derive, bind, and verify PTK. Both the client and AP have the PMK. Now derive (get/resolve) PTK to start encryption.

Step 2A: 4-Way Handshake using EAPoL [Extensible Authentication Protocol Over LAN].

Message 1: Authenticator to Client – EAPoL-Key (Reply Required, Unicast, Nonce-random number).
Message 2: Client to Authenticator – EAPoL-Key (Unicast, Nonce, MIC) – Derive PTK.
Message 3: Authenticator to Client – EAPoL-Key – Install PTK.
Message 4: Client to Authenticator – EAPoL-Key (MIC) – Install PTK.

Step 3: Use Group Key Handshake to send GTK from AP to Client.