1. Home
  2. Networking
  3. Wireless lan security

Cisco LEAP (EAP-Cisco Wireless)

Cisco LEAP was developed at a time when WEP showed vulnerabilities and the full wireless security blueprint was not standardized. Moreover, instead of requiring a certificate infrastructure for clients, organizations wanted to leverage authentications that were already available within their infrastructure for secure WLAN. So Cisco developed a lightweight protocol that leveraged many of the existing features and still provided the required security features.

LEAP uses 802.1x EAPOL messages, performs server authentication, achieves username/password (over MS-CHAP) as the user authentication mechanism, uses a RADIUS server as the authentication server, and provides mechanisms for deriving and distributing encryption keys.

Note

The EAP type is EAP-Cisco Wireless (see Table 7-2).


Figure 7-17 details the LEAP choreography.

Figure 7-17. LEAP Choreography


The entities that participate in a LEAP exchange are the RADIUS server, the AP, and the client.

In Step 1, the client and the RADIUS server should have the shared secret, usually a username-password database of all users in the RADIUS server (or access to a Microsoft Active Directory infrastructure), and each client should have its own username and password.

After a client establishes connectivity (Step 2), it initiates the authentication process by an EAPOL-start (Step 3), to which the AP responds by an EAP-request-identity message over EAPOL (Step 4).

The client response with identity is sent to the RADIUS server in a RADIUS message (Step 5).

From this point on, the AP acts as a relay between the client and the RADIUS server, until after Step 7.

Step 6 is client authentication by challenge-response mechanism. The server sends a challenge, to which the client responds with a hash calculated using the password and the LEAP algorithm. The server also calculates the hash, and if they are equal, the authentication is success. As you can see, the client authentication happens based on existing infrastructure and still not transmitting the credential (here the password).

In Step 7, the server authentication happens through a similar mechanism, and at the end, the server sends the encryption keys to the AP. The AP distributes the required key material by broadcast.

The client derives the encryption key from the key materials (Step 8), and from then on, the AP and the client can use the encryption keys to have a secure conversation (Step 9).

Note

The LEAP key generation mechanism is proprietary and is generated every (re)authentication, thus achieving key rotation. The session timeout in RADIUS allows for periodic key rotation, thus achieving security against sniffing and hacking the keys. The RADIUS exchanges for LEAP include a couple of Cisco-specific attributes in the RADIUS messages.
    		Chapter 1. Securing WLANs Overview
    		Chapter 2. Basic Security Mechanics and Mechanisms
    		Chapter 3. WLAN Standards
    		Chapter 4. WLAN Fundamentals
    		Chapter 5. WLAN Basic Authentication and Privacy Methods
    		Chapter 6. Wireless Vulnerabilities
    		Chapter 7. EAP Authentication Protocols for WLANs
    		Access Control and Authentication Mechanisms
    		EAP
    		PEAP
    		802.1x: Introduction and General Principles
    		Cisco LEAP (EAP-Cisco Wireless)
    		EAP-FAST
    		Summary
    		Chapter 8. WLAN Encryption and Data Integrity Protocols
    		Chapter 9. SWAN: End-to-End Security Deployment
    		Chapter 10. Design Guidelines for Secure WLAN
    		Chapter 11. Operational and Design Considerations for Secure WLANs
    		Chapter 12. WLAN Security Configuration Guidelines and Examples
    		Chapter 13. WLAN Deployment Examples
    		Appendix A. Resources and References