LEAP compliant with any router supporting 802.1x/EAP ?
Last Post: September 18, 2005:
-
Hi,
I have received a strange answer from a manufacturer support center after I have asked them a question about difficulties I had using LEAP with their AP.
They said :
"LEAP is CISCO specific and the specification is not official. I have talked to our experts and they told me that CISCO LEAP is not supported in our EAP Stack.
We support in 802.1x environment: PEAP,TLS,TTLS"
This explanation looks strange to me if I consider the information contained in the CWSP guide.
The only parts that have to be compliant are the supplicant and the authentication server (RADIUS)... The AP shouldn't drop LEAP authentication if there is successfull authentication between the RADIUS and the
supplicant...
Do you agree with my point of view?
Thanks for letting me know.
Chris -
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/netqa0900aecd801764f1.html
Is Cisco LEAP a standard?
A. Cisco LEAP takes advantage of the standard 802.1X framework. Cisco was the pioneer in introducing EAP support for WLANs at a time when none of the existing client operating systems provided EAP support. Cisco introduced Cisco LEAP in December 2000 as a way to quickly improve the overall security of WLAN authentication.
Q. What client operating systems does Cisco LEAP support?
A. Cisco LEAP supports numerous client operating systems, including Microsoft Windows, Mac OS, Linux, DOS, and Windows CE.
Q. What RADIUS servers and user databases does Cisco LEAP support?
A. Cisco LEAP supports the following RADIUS servers and user databases: Cisco Secure ACS, Cisco Network Registrar, Funk Odyssey Server, Funk Steel-Belted, and products that use the Interlink Networks server code (such as LeapPoint appliances).
From there it is easy to see that Cisco LEAP is still proprietary since it does not work with any standard Radius server such as IAS.
and finally:
Q. Is Cisco LEAP authentication available on wireless clients from vendors other than Cisco?
A. Yes. Cisco LEAP authentication is available for Cisco Compatible Extensions products.
Therefore, LEAP is totally proprietary and your vendor is correct. -
Does this require support by the AP because LEAP may require an encryption method different from the standard EAPs?
Thanks,
moe -
pmoulay thank you for your answer.
I already knew that LEAP was Cisco proprietary from a supplicant / autentication server perspective but my question is : "does LEAP require a compliant AP ?".
Moe (see above) has understood my concern very well.
Thanks for your help !
Chris -
LEAP uses standard encryption types (WEP, WPA and WPA2). You need a Cisco AP to use it. Also, don't count on using it if you use Microsoft. No compatibility with the Windows XP/2003 wireless client and no compatibility with Microsoft IAS.
-
In fact I am doing the tests with Odyssey Client and Odyssey server softwares (Funk softwares)... I am expecting it to work without the use of a specific Cisco router (or Linksys). But I may be wrong.
According to what Ben says this should then only work with Cisco routers ?!? (independantly from the supplicant and authentication server used).
Would be glad to confirm this assertion... has anyone tried to make LEAP work with another vendor AP ?
Any feedback would be interesting.
Thanks
Chris -
Chris,
You are wrong. Ditch LEAP. You will need Cisco APs to make it work. -
Chrisparis75,
I have been trying to find something that will tell me why (specifically) the AP must be coded to support LEAP but have been unable to find out the exact answer.
Here is a whitepaper that can be found on this site:
"EAP Authentication Protocols for WLANs"
It is from Cisco.
In the second note in the section titled "Cisco LEAP (EAP-Cisco Wireless)" it says that LEAP key gen mechanism is proprietary and is gen'd every (re)authentication to achieve key rotation. My understanding is that RADIUS authenticates and supplies the initial key materials and it is up to the AP and client to rekey based on these. So the AP would have to know the LEAP key gen algorithm to communicate with the client.
moe -
Moe,
Thanks for your contribution to my post... it is always interesting to have a written document to confirm an assertion.
I have been looking on various pdf documents too and my attention has focused on an excellent Chapter (7) of a Cisco book (I don't know the title... I found this pdf on the web) titled "Chapter 7: EAP Authentication Protocols for WLANs". On the LEAP they say of course that it is proprietary but they are not very precise on how the Key is handled by the AP itself. They seem to say that the AP is handling the keys in a proprietary manner.
I guess you are completely right : the AP MUST be able to derive the key from the one provided to him by the Radius server.
I would suggest the CWSP book to be more precise on this particular point. Implementation of LEAP is not only dependant on compliancy of Supplicant and Authentication server. LEAP must be explicitly supported by the AP... even my linksys WAG54G seems not to support LEAP (it only says WPA-RADIUS instead of EAP).
That means then that there is today NO simple non proprietary solution available for Mutual Authentication, dynamic key without use of certificates... It is a pity for the ones that don't want to handle certificates and would like to build an easy EAP infrastructure for a small network.
Chris -
Why not set up a Linux server with FreeRadius? You can use that same machine to generate certs with openssl, and FR supports many common EAP types.
- 1