Welcome to Cisco Support Community. We would love to have your feedback.
For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.
I am a bit confused reading through the relese notes on this subject. I am using 11.21 code and setting up my "NON Root" Bridge as a LEAP client.
This works fine.
I do not have any WEP keys entered in either device. If I do enter a WEP key, I can only seem to enter it on the ROOT side.
My question is, Can I setup WEP while using LEAP? How secure is the traffic between the bridges with just LEAP? Is this encrypted? Is there a dynamic WEP key being issiued ?
Any direction here would be greatly appreciated.
This case study under Security StandardsLEAP Solution might help you understand dynamic WEP used in LEAP authentication.
Thanks for the reply. Where can I this case study?
Oh I'm sorry, I meant to reference this url: http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/profiles/stlkh_cp.htm
LEAP provides a superset of the functionality that is provided in WEP - if you use LEAP you do not need to define a static WEP key.
By setting the non-root bridge as a LEAP client all the communications between the root and non-root bridge will use a dynamic WEP key.
Other features available with Ciscos WEP implementation (static WEP or LEAP) are;
-- You can WEP key rotation on the RADIUS server to make sure the key is changed periodically - this will prevent IV reuse due to cycling through all the IVs.
-- Turn on the TKIP features and you will prevent Airsnort style tools from being able to exploit the FMS attack on weak IVs to recover your WEP key.
-- Enable MIC to prevent the "bit-flipping" attacks that have been publicized.
Thanks very much for this great info.
Can you have LEAP and static WEP clients at the same time?
I would like to have all users use LEAP if possible, but occasionally there are some users from an overseas office that want to connect with a static WEP key (128bit). Is this possible?