LEAP requirements?

Answered Question
Nov 20th, 2008

Does XP natively support LEAP without Cisco aironet cards, or are the Cisco adapters required?

--John

I have this problem too.
0 votes
Correct Answer by gamccall about 8 years 1 week ago

Well, you are indeed going to need a certificate on your AAA server(s). I know that Cisco ACS servers can generate a self-signed certificate if you don't want to buy one from Verisign nor set up your own CA; I presume MS IAS can do the same thing but have not tried it.

Other than the certificates, it's not all that complicated: Make sure your AAA server will handle PEAP; make sure your APs or WLCs are set up for 802.1X; make sure your clients are configured properly for WPA(/2) Enterprise and PEAP. Disable automatic use of Windows login if necessary.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gamccall Fri, 11/21/2008 - 11:35

The WZC native client only supports PEAP or EAP-TLS. You need a third-party supplicant for LEAP, EAP-FAST, EAP-TTLS, or any other EAP methods.

You don't need the Cisco adapter hardware, though; you just need supplicant software. Cisco Secure Services Client (AKA Meethouse Aegis) will support any of the above EAP types on most hardware. There are other LEAP supplicants as well, including open-source stuff.

With that said, though, LEAP is barely more secure than setting your SSID to "PleaseDontHackMe". Given a choice, you should be working on getting rid of your lEAP rather than supporting it.

John Blakley Mon, 11/24/2008 - 06:53

Given that answer, I've been reading documentation and LEAP does seem to be insecure. What we're wanting to do is have a solution that allows an in-house wireless to create an association with their username and password. This would allow them to have only the one password to have to remember, and gives us more control over who gets access to wireless. What type of solution would I be looking for? Is PEAP the only method for this?

Thanks!

John

gamccall Mon, 11/24/2008 - 10:45

There are two main ways to put a credential requirement on your wireless: A captive portal (web-based login), or 802.1X. Web login systems provide no encryption and thus minimal security; they're primarily used only for guest access to the public internet.

The 802.1X route requires you to select an EAP flavor. Any of them will work, but each of them has their own advantages and disadvantaged. LEAP is insecure, EAP-TLS requires client certificates, and EAP-FAST and EAP-TTLS are not natively supported in Windows. The most convenient EAP type is PEAP for the vast majority of installations. Is there a particular reason you'd prefer not to use PEAP?

John Blakley Mon, 11/24/2008 - 13:15

I wanted to try to avoid having to install certificate servers, and I'm not very knowledgeable about how to configure a PEAP implementation from the ground up. I've yet to find a step-by-step guide on it.

Thanks!

John

Correct Answer
gamccall Mon, 11/24/2008 - 14:16

Well, you are indeed going to need a certificate on your AAA server(s). I know that Cisco ACS servers can generate a self-signed certificate if you don't want to buy one from Verisign nor set up your own CA; I presume MS IAS can do the same thing but have not tried it.

Other than the certificates, it's not all that complicated: Make sure your AAA server will handle PEAP; make sure your APs or WLCs are set up for 802.1X; make sure your clients are configured properly for WPA(/2) Enterprise and PEAP. Disable automatic use of Windows login if necessary.

Actions

This Discussion

 

 

Trending Topics - Security & Network