They independently prove to each other that they know the PSK/PMK
@stokito The client (nor the access point) never send the password; see this answer (and Wikipedia).
@stokito The client (nor the access point) never send the password; see this answer (and Wikipedia).