Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to enable LEAP

     

     

    Introduction

    How to enable LEAP

    Core Issue

    The Cisco Light Extensible Authentication Protocol (LEAP) provides strong, easy to deploy, and easy to administer wireless security. Cisco offers third-party Network Interface Card (NIC) support and RADIUS support to allow customers to use their existing investments in wireless clients, as well as existing RADIUS servers.

    Resolution

    LEAP is only supported on client adapters that support Wired Equivalent Privacy (WEP) and use either the Pulse Code Modulation (PCM), LMC, or PCI cards with firmware version 4.13 or later, or mini PCI card firmware version 5.0 or later. To use LEAP, your client adapter and Access Point (AP) firmware must have matching IEEE 802.1x draft standards.

    If the AP uses draft 8 firmware earlier than 11.06 or has draft 8 selected, the client adapter must use draft 8 firmware earlier than 4.25.x. Similarly, if the AP uses draft 10 firmware 11.06 or later, and has draft 10 selected, the client adapter must use draft 10 firmware 4.25.x or later. Mini PCI card firmware was first released in draft 10.

    Before implementing a LEAP solution, network administrators should refer to the 802.11 Wireless LAN Security White Paper.

    Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. These are some characteristics of strong passwords:

    • A minimum of ten characters    
    • A mixture of uppercase and lowercase letters    
    • At least one numeric character or one non-alphanumeric character    
    • No form of the user name or user ID    
    • A word that is not found in the dictionary (domestic or foreign)

    Details - Enabling LEAP

    Before you can enable LEAP authentication, your network devices must meet the following requirements:

    • Client adapters must support WEP and use the firmware, drivers, utilities, and security modules included in the Install Wizard file.
    • Access points to which your client adapter will attempt to authenticate must use the following firmware versions or greater: 11.23T (340 and 350 series access points), 12.2(4)JA (1100 series access points), or 11.54T (1200 series access points).
    • All necessary infrastructure devices (for example, access points, servers, etc.) must be properly configured for LEAP authentication.

    Enabling LEAP Authentication

    Follow the steps below to enable LEAP authentication for this profile.

    Step 1 Select LEAP from the Network Security Type drop-down box on the bottom of the Network Security screen.

    Note

    The LEAP option is available only if you selected the LEAP security module during installation.

    Note

    When you select this option, dynamic WEP is set automatically.

    Step 2  Click Configure to the right of the Network Security Type drop-down box. The LEAP Settings screen appears (see Figure).

    Step 3  Select one of the following LEAP username and password setting options:

    •Use Temporary User Name and Password—Requires you to enter the LEAP username and password each time the computer reboots in order to authenticate and gain access to the network.

    •Use Saved User Name and Password—Does not require you to enter a LEAP username and password each time the computer reboots. Authentication occurs automatically as needed using a saved username and password (which are registered with the RADIUS server).

    Note The Use Saved User Name and Password option is available only if the Allow Saved LEAP User Name and Password option was enabled (set to Yes) during installation.

    Step 4  Perform one of the following:

    •If you selected Use Temporary User Name and Password in Step 3, select one of the following options:

    –Use Windows User Name and Password—Causes your Windows username and password to also serve as your LEAP username and password, giving you only one set of credentials to remember. After you log in, the LEAP authentication process begins automatically. This option is the default setting.

    –Automatically Prompt for LEAP User Name and Password—Requires you to enter a separate LEAP username and password (which are registered with the RADIUS server) in addition to your regular Windows login in order to start the LEAP authentication process.

    –Manually Prompt for LEAP User Name and Password—Requires you to manually invoke the LEAP authentication process as needed using the Manual LEAP Login option from the Commands drop-down menu. You are not prompted to enter a LEAP username and password during the Windows login. This option might be used to support a software token one-time password system or other systems that require additional software that is not available at login.

    •If you selected Use Saved User Name and Password in Step 3, follow the steps below:

    1. Enter a username and password in the appropriate fields.

    Note- Usernames and passwords are limited to 32 ASCII characters each. However, if a domain name is entered in the Domain field, the sum of the username and domain name is limited to 31 ASCII characters.

    b.Re-enter the password in the Confirm Password field.

    1. c. If you wish to specify a domain name that will be passed to the RADIUS server along with your username, enter it in the Domain field.

    Step 5 If you work in an environment with multiple domains and, therefore, want your Windows login domain to be passed to the RADIUS server along with your username, check the Include Windows Logon Domain with User Name check box. The default setting is checked.

    Note

    If you selected to use a saved username and password but do not check the Include Windows Logon Domain with User Name check box, the Domain field becomes unavailable, and a domain name is not passed to the RADIUS server.

    Step 6 If you want to force the client adapter to disassociate after you log off so that another user cannot gain access to the wireless network using your credentials, check the No Network Connection Unless User Is Logged In check box. The default setting is checked.

    Step 7 In the LEAP Authentication Timeout Value field, enter the amount of time (in seconds) before a LEAP authentication is considered to be failed and an error message appears.

    Range:          45 to 300 seconds

    Default: 90 seconds

    Step 8 Click OK to exit the LEAP Settings screen.

    Step 9 Click OK to exit the Network Security screen and return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.

    Step 10 Refer to Chapter 6, for instructions on authenticating using LEAP.

    Problem Type

    Configure / Configuration issues

    Products

    WLAN adapters (wireless card) / ACU (Aironet Client Utility)

    Access point

    Bridge

    Reference

    1233
    Views
    0
    Helpful
    0
    Comments