Core Issue

In a LEAP RADIUS security environment, a client device can be associated to an Access Point (AP), but not authenticated. Therefore, the client device is unable to pass any traffic on the network.

Resolution

The two main reasons for a failure to authenticate are incorrect passwords and AP misconfiguration. The following are examples of these problems:

• The wrong password is entered by the user.
     
  • In failed reports of the Asynchronous Communications Server (ACS), the following message appears:    
        

    Authentication failed

           
  • In the RADIUS log, the following message appears:    
        

    Client [xyz] failed authentication error 

           
     
• The wrong ACS address is configured on an AP.

  If you have entered the wrong IP address for the ACS server, the following message appears in the AP log:

  No EAP-Authentication response for station [xxxxx] from server [IP address]

     

Note: When implementing a LEAP solution, network administrators should refer to the 802.11 Wireless LAN Security White Paper.

Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. Some characteristics of strong passwords include the following:

• A minimum of ten characters.
• A mixture of uppercase and lowercase letters.
• At least one numeric character or one non-alphanumeric character (example: !#@$%).
• No form of the user's name or user ID.
• A word that is not found in the dictionary (domestic or foreign).

Problem Type

Client / Device cannot authenticate

Associated but cannot pass any traffic

Products

WLAN adapters (wireless card) / ACU (Aironet Client Utility)

Access point

Security Options

LEAP / RADIUS