Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is LEAP that secure??

I am currently testing LEAP with an AP350 and Funk's Stealbelt RADIUS server. When I first looked at LEAP it looked like a pretty secure solution. But then I noticed that I could authenticate with LEAP when the client had no shared WEP key. I have a 128-bit key set in the AP and it is configured for both LEAP and shared key authentication, but I'm able to authenticate with just a username and password.

The reason this is a problem is that all a hacker would need to break into a LEAP system is a username and password. The SSID and MAC addresses would also be needed, but are extreamly easy to get. That may be sufficient for some enterprises, but my security team wouldn't allow it. I hope that I am just missing something in my configuration, but it looks as though once you have LEAP enabled, you don't need an initial shared key between the client and AP. Is this true??

7 REPLIES
New Member

Re: Is LEAP that secure??

Something you could do to enhance the security of the solution is to have the username/password go through a ACE Server (SecurID cards). I don't know a lot about the 802.1x security, I'm evaluating it right now, but I keep in mind that a laptop could be stolen (with the 802.1x card and preshared key!). The token based authentication considerably reduces the odds of having unauthorized accesses.

New Member

Re: Is LEAP that secure??

Tad late on the followup -- but currently using SecurID w/LEAP requires you to re-authenticate with the token each time the key changes. Not good.

-brkn!

New Member

Re: Is LEAP that secure??

So what do you recommend brok3n@hotmail.com for securing wireless network?

New Member

Re: Is LEAP that secure??

Security begins with everyone in your company. U can be broken into even if u have the most high tech gears by having your users writing down their password and stick it on their monitor.

Enable your LEAP, Disable shared key (U dun need this on LEAP as the shared key will be distributed to the clients upon successful authentication) and educate your users on

1) their choice of password for including special characters like "!@#%^&*"

2) your policy on password like ageing and minimum password length ( this can be done on the CISCO ACS)

New Member

Re: Is LEAP that secure??

I haven't figured it out yet. I'll let you know. But I believe it has to do with reducing the level of trust on the wireless side, and treating it as any other foreign network access point, and requiring strong user authentication.

-brkn!

New Member

Re: Is LEAP that secure??

You're not missing anything. LEAP will generate a session key based on the username/password, you don't need (or want) a fixed key in the client. You should disable the shared key authentication because that really is not secure. Someone could derive the fixed key and continue to use it until it's changed.

As far as only having a name/password pair for access, I don't understand why you perceive risk in that-- a strong password policy with minimum password length, expiration, etc. will mitigate any exposure there-- It's the best you can do short of some sort of biometric device or smartcard.

New Member

Re: Is LEAP that secure??

If you want to force LEAP and WEP, don't allow association to mixed cells, and set the authentication to "open" instead of "shared". Also, on the WEP page set encryption to "full encryption" It's working great for me. i'm also using MAC address filtering.

190
Views
0
Helpful
7
Replies