Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

LEAP requirements?

Does XP natively support LEAP without Cisco aironet cards, or are the Cisco adapters required?

--John

HTH, John *** Please rate all useful posts ***
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: LEAP requirements?

Well, you are indeed going to need a certificate on your AAA server(s). I know that Cisco ACS servers can generate a self-signed certificate if you don't want to buy one from Verisign nor set up your own CA; I presume MS IAS can do the same thing but have not tried it.

Other than the certificates, it's not all that complicated: Make sure your AAA server will handle PEAP; make sure your APs or WLCs are set up for 802.1X; make sure your clients are configured properly for WPA(/2) Enterprise and PEAP. Disable automatic use of Windows login if necessary.

6 REPLIES
Silver

Re: LEAP requirements?

The WZC native client only supports PEAP or EAP-TLS. You need a third-party supplicant for LEAP, EAP-FAST, EAP-TTLS, or any other EAP methods.

You don't need the Cisco adapter hardware, though; you just need supplicant software. Cisco Secure Services Client (AKA Meethouse Aegis) will support any of the above EAP types on most hardware. There are other LEAP supplicants as well, including open-source stuff.

With that said, though, LEAP is barely more secure than setting your SSID to "PleaseDontHackMe". Given a choice, you should be working on getting rid of your lEAP rather than supporting it.

Re: LEAP requirements?

Given that answer, I've been reading documentation and LEAP does seem to be insecure. What we're wanting to do is have a solution that allows an in-house wireless to create an association with their username and password. This would allow them to have only the one password to have to remember, and gives us more control over who gets access to wireless. What type of solution would I be looking for? Is PEAP the only method for this?

Thanks!

John

HTH, John *** Please rate all useful posts ***
Silver

Re: LEAP requirements?

There are two main ways to put a credential requirement on your wireless: A captive portal (web-based login), or 802.1X. Web login systems provide no encryption and thus minimal security; they're primarily used only for guest access to the public internet.

The 802.1X route requires you to select an EAP flavor. Any of them will work, but each of them has their own advantages and disadvantaged. LEAP is insecure, EAP-TLS requires client certificates, and EAP-FAST and EAP-TTLS are not natively supported in Windows. The most convenient EAP type is PEAP for the vast majority of installations. Is there a particular reason you'd prefer not to use PEAP?

Re: LEAP requirements?

I wanted to try to avoid having to install certificate servers, and I'm not very knowledgeable about how to configure a PEAP implementation from the ground up. I've yet to find a step-by-step guide on it.

Thanks!

John

HTH, John *** Please rate all useful posts ***
Silver

Re: LEAP requirements?

Well, you are indeed going to need a certificate on your AAA server(s). I know that Cisco ACS servers can generate a self-signed certificate if you don't want to buy one from Verisign nor set up your own CA; I presume MS IAS can do the same thing but have not tried it.

Other than the certificates, it's not all that complicated: Make sure your AAA server will handle PEAP; make sure your APs or WLCs are set up for 802.1X; make sure your clients are configured properly for WPA(/2) Enterprise and PEAP. Disable automatic use of Windows login if necessary.

Re: LEAP requirements?

Thank you!

HTH, John *** Please rate all useful posts ***
187
Views
0
Helpful
6
Replies