Forum

Does EAP-LEAP provide "mutual authentication" for the purposes of providing seeding material for dynamic encryption as given on page 174?

Thanks.

Jackman,

Thanks for responding.

So the AKM operations take place in LEAP as well, but without TLS or actual AS authentication and dynamic WEP encryption temporal keys?

I'll try to respond to both of you in this post.

LEAP, in my humble opinion, offers no usable form of mutual authentication. If I can't configure a supplicant to discriminate against a specific AS (or a short list) then it will therefore talk to anyone. That would include an attacker performing a MiTM attack.

I've debated this topic a bit with my colleagues and at the end of the day the only way you can say LEAP performs any type of mutual authentication is based on the MS-CHAPv2 protocol that LEAP is loosely based upon (it is not exact). The nature of this protocol is that it never actually transmits the actual password for a username (transmitted in plain text), but rather a hash of the password. The AS receives that hash from the supplicant and and compares the hash values to the user directory.

In other words, LEAP is garbage and none of us shall ever use it. ;)

Scotty, I didn't follow exactly what your question was, but I think you're asking if AKM operations take place in LEAP as well. Yes, it does. Theoretically, if LEAP was used as an auth type with WPA2 Enterprise, the key derivation should be identical to other EAP methods because a MSK is still a result. Upon success of an EAP type is when the the "KM" part of AKM really kicks in. However, the MSK is used differently depending on the encryption methodology. For example, dynamic WEP, TKIP and CCMP will all use this MSK differently.

Hope that helps.