Cisco Support Community
Community Member

LEAP Workings

I'm having a problem understanding how LEAP works and I guess any 802.1x authentication protocol. I thought that with LEAP along with PEAP, EAP-TLS, etc...that after authentication takes place, the client and Radius Server agree on the dynamic WEP key. In actually configuring LEAP on the AP (1200), however, I noticed you have to manually set the WEP key. However, on the client, I didnt have to set any WEP key on the client or anything for it to authenticate to the AP using LEAP. Everything is working fine and the client succesfulling authenticates to the AP. My question is though, why do you specifically have to manually enter a WEP key in on the AP, if the client and server dynamically create one? What is the purpose the manual key. I thought that the key configured on the AP might be the GROUP key for broadcast and multicasts, but this seems like this would defeat the whole point of the dynamic keys and information being secure. Could someone clarify this and tell me the reasoning for the manual key having to be inputted on the AP.


Re: LEAP Workings

Actually the key you are referring to is not the session key used for encrypting data traffic. This key is actually used to encrypt the username/password sent in clear text from the client to the ACS server. One the client is authenticated with this isername/password, this wep key will no longer be used and the dynamically generated WEP key will be used.

Here is a document explaining LEAP authentication without WEP key but with shared secret key which is a must always.

CreatePlease to create content