Hacking & Solutions: Cracking Cisco LEAP Authentication

Hacking & Solutions: Cracking Cisco LEAP Authentication

By CWNP On 02/12/2008 - 38 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

By watching the "Cracking Cisco LEAP" video, you will discover just how insecure LEAP is.  It takes only seconds to break using any reasonable dictionary file and commonly available and user-friendly software tools. 


Cisco's Lightweight EAP (LEAP) protocol is a scalable, fast, and simple authentication protocol designed to work over 802.11 WLANs.  LEAP is, by far, the easiest version of 802.1X/EAP to implement.  It literally takes only minutes to configure, and is supported by a variety of RADIUS servers and wireless client utilities.  There is one problem: it lacks the kind of rock-solid security found in tunneled EAP types like PEAP and EAP-TTLS.  LEAP was the first widely-deployed EAP type, and there are still thousands of LEAP deployments in existance.

The reason for this insecurity is that LEAP relies on users to choose a "strong" password.  Users don't like strong passwords because they are too difficult to remember.  Instead, users like common words, phrases, and names.  If even one user on a wireless network violates the strong password requirement, an intruder will have the ability to penetrate the network.

Cisco has repeatedly reinforced its stance that if LEAP is deployed, a strong password policy must be enforced.  Enforcing a strong password policy is easier said than done in many cases, especially when passwords are suggested (by Cisco) to meet these requirements:

  • A minimum of ten characters
  • A mixture of uppercase and lowercase letters
  • At least one numeric character or one non-alphanumeric character (Example: !#@$%)
  • No form of the user's name or user ID
  • A word that is not found in the dictionary (domestic or foreign)

Cisco offers these examples of strong passwords:

  • cnw84FriDAY, from "cannot wait for Friday"
  • 4yosc10cP!, from "for your own safety choose 10 character password!"

If the ability to force users to use strong passwords is available in your system, it is highly suggested that you implement it for the LEAP network.  Cisco has released EAP-FAST as a suggested replacement for LEAP, but due to EAP-FAST's deployment complexity and limited support in client utiltiies and RADIUS servers, PEAP and EAP-TTLS are currently the most popular enterprise-class wireless authentication protocols.  All three are typically deemed secure, but the most popular usually end up being the easiest and cheapest to deploy.

Since PEAP, EAP-TTLS, and even EAP-FAST (to some degree) are available, well-documented, and secure, all LEAP users should consider upgrades at their earliest possible convenience.

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.

0 Responses to Hacking & Solutions: Cracking Cisco LEAP Authentication

Subscribe by Email
There are no comments yet.
<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More