Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up LEAP EAP and Cisco's ACS

Im thoroughly confused.

Please help.

What I would like to do is setup my clients to use

EAP LEAP first whats the difference.

Do I really need the ACS? I have a radius server already. If so why do I need the ACS.

When I am setting up the Wireless Access point do I need to enter a Wep key or does the hub create a dynamic one. Do I need to set up a key on the client? Does the client use a dynamic one.

Basically I have a 2000 Domain and would like to authenticate against the DC but if I must create a user database for all of the wireless users its not that big of deal.

Somone please explain the process with minimum requirements, and the process with setting it up.

Thanks a million,


New Member

Re: Setting up LEAP EAP and Cisco's ACS

Hi Bobby,

I recently implemented Cisco Aironet Wireless in my office. EAP is the industry standard authentication protocol. LEAP is Cisco's proprietary protocol for 802.1x. 802.1x authentication has been included in the XP OS to tie in with Radius. As you are using 2000 then yes, you will need the ACS as the authentication gateway to your AD. When the access point is setup you enter a WEP key. From this key dynamic user sessions are set up for the clients (different every time they log in and therefore more secure than static keys). You can set the ACS to authenticate against your 2000 AD and won't have to set up a seperate DB on the ACS.

To summarise:

Setup ACS and configure to authenticate against external DB (2000 AD)

Set up access point and set authentication to the ACS with network EAP enabled.

Install the client software with LEAP enabled

It's easy, and works well and is secure!!

Good luck,


New Member

Re: Setting up LEAP EAP and Cisco's ACS

Thanks clive, Can you send me an email Id like to pick your brain over a couple of the settings in the access points. I think what I might do is post a how to when all of this is done.

Thanks again,


Cisco Employee

Re: Setting up LEAP EAP and Cisco's ACS

Good answer, one point of clarification:

Even with LEAPs dynamic WEP keys, you still need to configure WEP key 1 on the AP. This key is used for all broadcast and multicast traffic, which needs to be understood by all clients on the WLAN. This key does not need to be configured on the clients as it is passed to the clients over the secure channel established after their session key has been negotiated.

New Member

Re: Setting up LEAP EAP and Cisco's ACS

Clive and Bobby:

I've also recently implemented wireless client access using AP340's and ACS authenticating our SAM. Bobby: one thing you may need to do if you wish to restrict access (not sure if this applies to 2K) is create CiscoSecure groups and map those groups to NT groups. One additional security measure I'm using is VMPS/dynamic vlan membership on our switched network. I configured a separate vlan and DHCP scope on my network for wireless devices. I then configured lease reservations for the MAC addresses of my APs and WNICs, and added those same MAC addresses to the VMPS database, associating them with my Wireless_VLAN. I configured the VMPS database for no fallback vlan, so if the MAC isn't recognized it gets a connection denied response.

For successful authentication and receipt of a DHCP-assigned IP address - a wireless client must meet the following criteria:

1. LEAP and WEP Key 1 configuration must be correct on client.

2. Client's account must be a member of the NT local group that has been mapped to a CiscoSecure group (again, may not apply to Win2K).

3. Client's MAC address must be stored in VMPS database to receive an IP address.

One additional step you may want to consider is setting the WEP reauthentication timeout to a value less than the amount of time it would take to transmit enough packets for someone with a wireless sniffer to build your WEP key. A little confusing.. Check out for a better explanation.

Hope this helps!

New Member

Re: Setting up LEAP EAP and Cisco's ACS

Don't be fooled into thinking you NEED Cisco's ACS to tie your clients into a Radius server, that backends into a Windows Domain ....

Not that I am suggesting the use of Microsoft's IAS (Internet Authentication Server "Radius"), but it does support several flavors of EAP as mentioned by the 802.11x spec and barring the lack of acceptable documentation, it is a good solution.


New Member

Re: Setting up LEAP EAP and Cisco's ACS

Since the initial authentication is in clear text, it is possible to view the NT Domain username in clear/text.

When the password is transmitted (remember that we don't have a WEP session key yet) a hash is created using the challenge and the NT password, how does CiscoSecure ACS then proxy authenticate the user to the Domain if it is not possible to decrypt the packets?

In this scenario (ACS with domain authentication) does LEAP transmit the username and password in cleartext ?

CreatePlease login to create content