I am currently testing LEAP with an AP350 and Funk's Stealbelt RADIUS server. When I first looked at LEAP it looked like a pretty secure solution. But then I noticed that I could authenticate with LEAP when the client had no shared WEP key. I have a 128-bit key set in the AP and it is configured for both LEAP and shared key authentication, but I'm able to authenticate with just a username and password.
The reason this is a problem is that all a hacker would need to break into a LEAP system is a username and password. The SSID and MAC addresses would also be needed, but are extreamly easy to get. That may be sufficient for some enterprises, but my security team wouldn't allow it. I hope that I am just missing something in my configuration, but it looks as though once you have LEAP enabled, you don't need an initial shared key between the client and AP. Is this true??
Something you could do to enhance the security of the solution is to have the username/password go through a ACE Server (SecurID cards). I don't know a lot about the 802.1x security, I'm evaluating it right now, but I keep in mind that a laptop could be stolen (with the 802.1x card and preshared key!). The token based authentication considerably reduces the odds of having unauthorized accesses.
I haven't figured it out yet. I'll let you know. But I believe it has to do with reducing the level of trust on the wireless side, and treating it as any other foreign network access point, and requiring strong user authentication.
You're not missing anything. LEAP will generate a session key based on the username/password, you don't need (or want) a fixed key in the client. You should disable the shared key authentication because that really is not secure. Someone could derive the fixed key and continue to use it until it's changed.
As far as only having a name/password pair for access, I don't understand why you perceive risk in that-- a strong password policy with minimum password length, expiration, etc. will mitigate any exposure there-- It's the best you can do short of some sort of biometric device or smartcard.
If you want to force LEAP and WEP, don't allow association to mixed cells, and set the authentication to "open" instead of "shared". Also, on the WEP page set encryption to "full encryption" It's working great for me. i'm also using MAC address filtering.