|
Cisco's Lightweight Extensible Authentication Protocol (LEAP) is a proprietary, pre-standard variant of IEEE 802.1X Port Access Control. 802.1X is a framework that lets an Authentication Server challenge a wireless client (Supplicant) for credentials before granting access to the AP's distribution network -- that's the wired network that the AP is connected to. 802.1X can be used with many different kinds of credentials (passwords, tokens, certificates). This is accomplished by letting 802.1X requests and responses carry any kind of Extensible Authentication Protocol (EAP).
Cisco LEAP is one of those EAP types, designed to provide password authentication. When LEAP is used, the AP challenges the client for its username, relaying RADIUS messages between the client and Authentication Server. The Authentication Server uses MS-CHAP to challenge the client for its password. The client doesn't send its password; it uses the password and challenge to generate a hash. The server generates its own hash and compares it to the value sent by the client. If they match, the client is accepted, and another MS-CHAP exchange lets the client authenticate the server. When both sides are happy, the client and server exchange encryption keys so that data sent during the session can be protected with WEP.
Unfortunately, LEAP is vulnerable to dictionary attack. First, the username is sent without encryption, so anyone can sniff it. Second, the password hash can be cracked (guessed) by using words in a dictionary to generate hash values, comparing them to the hash sent by the client. There are several shareware tools that automate this, including Anwrap, Asleap, and THC-LEAPcracker. Using very long, random passwords can help deter dictionary attack. But this work-around can be impractical, because many WLANs use LEAP with existing (e.g., Windows domain) usernames and passwords -- in fact, this is why LEAP is easy to deploy.
There are many other stronger EAP types that can be used with 802.1X. For example, EAP-TLS supports mutual authentication, based on digital certificates. Protected EAP (PEAP) supports MS-CHAPv2 password authentication over an encrypted TLS tunnel that prevents sniffing and thus dictionary attack. In fact, there are over 40 defined EAP types. Some are weaker than LEAP (e.g., EAP-MD5) while others (like EAP-TLS and PEAP) are stronger. Of course, some EAP types are also harder to deploy than LEAP -- for example, to use EAP-TLS, your clients must have certificates. There is really no one EAP type that satisfies everyone.
How does this all relate to WPA2? Wi-Fi Protected Access (WPA) version 2 is a certification program operated by the Wi-Fi Alliance. Products that correctly implement required parts of the IEEE 802.11i enhanced security standard can pass WPA2 tests. When you buy a wireless product that supports WPA2, it implements 802.1X authentication and AES encryption. It probably supports 802.1X with EAP-TLS, and may also support additional EAP types. Thus, WPA2 can provide stronger-than-LEAP authentication, along with more robust data encryption.
But choosing an EAP type to use with WPA2 is left to the consumer. So, in the end, security comes down to configuration and how you decide to deploy your WLAN. But most WLANs that use WPA2 do use a stronger EAP type than LEAP. Deploying WPA2 can be complex, especially in networks with a diverse mixture of client cards and operating systems. But deploying WPA2 with PEAP in a single-vendor WLAN requires roughly the same effort as deploying Cisco LEAP.
|
