Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

hvd
New Member

open eap needed for LEAP ?

We've got about 120 aironet 1100s in use. They're all configured for the use with leap "authentication network-eap eap_methods"

Since we're using all aironet 352 Pcmcia cards we don't have any problems.

Now we are in the negotiation phase for new handhelds using other brand of networkcards (Intel) which do not cope well with leap. The supplier now claims that we have to reconfigure our ap's with following line "authentication open eap eap_methods" to make it work. They're not able to put a cisco card in their device and it seems the only way to make things work.

As I understand "authentication open eap eap_methods" opens the gate for all kinds op eap such as PEAP, EAP-TLS, EAP. So we are tearing down the security of our network by doing this. There's a lot of confusing information about this going around.

Are we facing here a security issue by changing our config in this way?

Would appreciate your findings.

3 REPLIES
Silver

Re: open eap needed for LEAP ?

New Member

Re: open eap needed for LEAP ?

PEAP & EAP-TLS are considered more secure than LEAP. LEAP uses MSCHAP to transfer a hash of the password which is volnurable to dictionary attacks. PEAP & EAP-TLS transfer the auth info inside a TLS tunnel which is fully secure. If you don't want to change your existing clients, I would recommend you create a new SSID for your new EAP type and bind it to a new VLAN. This will allow you to run LEAP and PEAP/EAP-TLS at the same time.

Serge

New Member

Re: open eap needed for LEAP ?

I was also confused about setting this up and had to open up a tac case.

The explanation given to me is the Network EAP options is for Cisco Cards and the Open/EAP options are for other cards.

I have both those options on the same SSID just in case if we have a non-cisco card who want to use the SSID but has to use 802.1x and CKIP.

146
Views
0
Helpful
3
Replies
CreatePlease login to create content