Core Issue
In a LEAP RADIUS security environment, a client device can be associated to an Access Point (AP), but not authenticated. Therefore, the client device is unable to pass any traffic on the network.
Resolution
The two main reasons for a failure to authenticate are incorrect passwords and AP misconfiguration. The following are examples of these problems:
- The wrong password is entered by the user.
- The wrong ACS address is configured on an AP.
If you have entered the wrong IP address for the ACS server, the following message appears in the AP log:
No EAP-Authentication response for station [xxxxx] from server [IP address]
Note: When implementing a LEAP solution, network administrators should refer to the 802.11 Wireless LAN Security White Paper.
Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. Some characteristics of strong passwords include the following:
- A minimum of ten characters.
- A mixture of uppercase and lowercase letters.
- At least one numeric character or one non-alphanumeric character (example: !#@$%).
- No form of the user's name or user ID.
- A word that is not found in the dictionary (domestic or foreign).
Problem Type
Client / Device cannot authenticate
Associated but cannot pass any traffic
Products
WLAN adapters (wireless card) / ACU (Aironet Client Utility)
Access point
Security Options
LEAP / RADIUS