Re: Is LEAP that secure??

daveman · ‎11-19-2001

I am currently testing LEAP with an AP350 and Funk's Stealbelt RADIUS server. When I first looked at LEAP it looked like a pretty secure solution. But then I noticed that I could authenticate with LEAP when the client had no shared WEP key. I have a 128-bit key set in the AP and it is configured for both LEAP and shared key authentication, but I'm able to authenticate with just a username and password.

The reason this is a problem is that all a hacker would need to break into a LEAP system is a username and password. The SSID and MAC addresses would also be needed, but are extreamly easy to get. That may be sufficient for some enterprises, but my security team wouldn't allow it. I hope that I am just missing something in my configuration, but it looks as though once you have LEAP enabled, you don't need an initial shared key between the client and AP. Is this true??

omartin · ‎11-23-2001

Something you could do to enhance the security of the solution is to have the username/password go through a ACE Server (SecurID cards). I don't know a lot about the 802.1x security, I'm evaluating it right now, but I keep in mind that a laptop could be stolen (with the 802.1x card and preshared key!). The token based authentication considerably reduces the odds of having unauthorized accesses.

brok3n · ‎01-08-2002

Tad late on the followup -- but currently using SecurID w/LEAP requires you to re-authenticate with the token each time the key changes. Not good.

-brkn!

emil · ‎01-15-2002

So what do you recommend brok3n@hotmail.com for securing wireless network?

krdl88 · ‎01-15-2002

Security begins with everyone in your company. U can be broken into even if u have the most high tech gears by having your users writing down their password and stick it on their monitor.

Enable your LEAP, Disable shared key (U dun need this on LEAP as the shared key will be distributed to the clients upon successful authentication) and educate your users on

1) their choice of password for including special characters like "!@#%^&*"

2) your policy on password like ageing and minimum password length ( this can be done on the CISCO ACS)

brok3n · ‎01-17-2002

I haven't figured it out yet. I'll let you know. But I believe it has to do with reducing the level of trust on the wireless side, and treating it as any other foreign network access point, and requiring strong user authentication.

-brkn!

drynkowski · ‎01-15-2002

You're not missing anything. LEAP will generate a session key based on the username/password, you don't need (or want) a fixed key in the client. You should disable the shared key authentication because that really is not secure. Someone could derive the fixed key and continue to use it until it's changed.

As far as only having a name/password pair for access, I don't understand why you perceive risk in that-- a strong password policy with minimum password length, expiration, etc. will mitigate any exposure there-- It's the best you can do short of some sort of biometric device or smartcard.

James Strong · ‎01-30-2002

If you want to force LEAP and WEP, don't allow association to mixed cells, and set the authentication to "open" instead of "shared". Also, on the WEP page set encryption to "full encryption" It's working great for me. i'm also using MAC address filtering.