What is Cisco LEAP/EAP? |
 |
By Lisa Phifer
12 Aug 2007 | SearchDomino |
|
|
Cisco LEAP (Lightweight Extensible Authentication Protocol), also known as Cisco-Wireless EAP, provides username/password-based authentication between a wireless client and a RADIUS server like Cisco ACS or Interlink AAA. LEAP is one of several protocols used with the IEEE 802.1X standard for LAN port access control. In the 802.1X framework, a LAN station cannot pass traffic through an Ethernet hub or WLAN access point until it successfully authenticates itself. The station must identify itself and prove that it is an authorized user before it is actually allowed to use the LAN.
LEAP also delivers a session key to the authenticated station, so that future frames can be encrypted with a key that is different than keys used by others sessions. Dynamic key delivery eliminates one big vulnerability: static encryption keys that are shared by all stations in the WLAN. Once an attacker cracks a static shared key, he can eavesdrop on all traffic in the WLAN until that key gets updated on every station. With dynamic session keys, the attacker has less traffic to analyze. Furthermore, by the time he cracks the key, the session may already be over.
As you can see, Ciso's LEAP does have security advantages over the standard security measures defined in the original IEEE 802.11 WLAN standard. LEAP is supported by Cisco Aironet access points and wireless NICs. However, LEAP and several other "EAP types" drafted by other companies have been found to be vulnerable to certain attacks. For example, man-in-the-middle attacks where a third party on the WLAN intercepts traffic between the station and access point, then uses that information to do something malicious like hijack future traffic.
The EAP type shipped with Windows XP, called EAP-TLS, uses digital certificates for stronger authentication of both the station and the access point. However, issuing digital certificates to every station is a bit complex, and many companies would prefer to continue using usernames and passwords to authenticate wireless stations. The trick is to do this while eliminating man-in-the-middle vulnerabilities. The working proposal that several manufacturers – including Cisco – are now implementing is called PEAP (Protected EAP). I expect that PEAP (or whatever EAP type is finally standardized) will replace LEAP in future WLAN products.
Station authentication and controlling access to the WLAN access point does not address all of your WLAN security risks. For example, current WLAN products – including Aironet products implementing LEAP – use the Wired Equivalent Privacy (WEP) protocol for frame encryption. This is done to preserve the confidentiality of the data carried over wireless - for example, mail messages that you read, files that you transfer, and the content of web pages that you visit when connected over wireless. Even if you don't care about the privacy of that data, you are still sending other sensitive information, such as email logins and passwords, fileshare names, and server addresses inside your network. Without WEP, these juicy tidbits can be used by an eavesdropper to compromise the security of your network.
Although measures like dynamic key delivery in LEAP reduce known weaknesses in WEP, they do not completely eliminate them. For example, it is still possible for an WLAN attacker to forge frames or modify valid frames in such a way that the receiver cannot detect that. A "WEP fix" called TKIP will soon start shipping in WLAN products. TKIP will overcome some of the most glaring vulnerabilities in WEP, but WLANs will still not be as secure as they could be. Really robust security for wireless LANs won't be available until next year, when next generation WLAN products start using the Advanced Encryption Standard (AES) and other improvements now being defined by the IEEE.
For more information about Cisco LEAP and other 802.1X EAP types:
http://www.cisco.com/warp/public/784/packet/exclusive/apr02.html
|
|
|
|
