Cisco LEAP (EAP-Cisco Wireless)

Cisco LEAP was developed at a time when WEP showed vulnerabilities and the full wireless security blueprint was not standardized. Moreover, instead of requiring a certificate infrastructure for clients, organizations wanted to leverage authentications that were already available within their infrastructure for secure WLAN. So Cisco developed a lightweight protocol that leveraged many of the existing features and still provided the required security features.

LEAP uses 802.1x EAPOL messages, performs server authentication, achieves username/password (over MS-CHAP) as the user authentication mechanism, uses a RADIUS server as the authentication server, and provides mechanisms for deriving and distributing encryption keys.


The EAP type is EAP-Cisco Wireless (see Table 7-2).

Figure 7-17 details the LEAP choreography.

Figure 7-17. LEAP Choreography

The entities that participate in a LEAP exchange are the RADIUS server, the AP, and the client.

In Step 1, the client and the RADIUS server should have the shared secret, usually a username-password database of all users in the RADIUS server (or access to a Microsoft Active Directory infrastructure), and each client should have its own username and password.

After a client establishes connectivity (Step 2), it initiates the authentication process by an EAPOL-start (Step 3), to which the AP responds by an EAP-request-identity message over EAPOL (Step 4).

The client response with identity is sent to the RADIUS server in a RADIUS message (Step 5).

From this point on, the AP acts as a relay between the client and the RADIUS server, until after Step 7.

Step 6 is client authentication by challenge-response mechanism. The server sends a challenge, to which the client responds with a hash calculated using the password and the LEAP algorithm. The server also calculates the hash, and if they are equal, the authentication is success. As you can see, the client authentication happens based on existing infrastructure and still not transmitting the credential (here the password).

In Step 7, the server authentication happens through a similar mechanism, and at the end, the server sends the encryption keys to the AP. The AP distributes the required key material by broadcast.

The client derives the encryption key from the key materials (Step 8), and from then on, the AP and the client can use the encryption keys to have a secure conversation (Step 9).


The LEAP key generation mechanism is proprietary and is generated every (re)authentication, thus achieving key rotation. The session timeout in RADIUS allows for periodic key rotation, thus achieving security against sniffing and hacking the keys. The RADIUS exchanges for LEAP include a couple of Cisco-specific attributes in the RADIUS messages.