3-17
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 3 Configuring EAP Types
Overview of LEAP
Overview of LEAP
Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are
networks (WLANs). Important features of LEAP include the following:
•
Mutual authentication between the network infrastructure and the user.
•
Secure derivation of random, user-specific cryptographic session keys.
•
Compatibility with existing and widespread network authentication mechanisms (for example,
RADIUS).
•
Computational speed.
Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards.
Cisco LEAP relies on the following:
•
Extensible Authentication Protocol (EAP)
EAP was originally designed to provide an framework so that new authentication methods could be
introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication
protocols had to be defined to create new authentication methods. However, with EAP, new
authentication types simply require the definition of a new EAP type. A new EAP type comprises a
set of set of EAP request and response messages and their associated semantics.
•
Extensible Authentication Protocol over LAN (EAPOL)
Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most
types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP.
The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in
Ethernet packets so that they can be transmitted over a LAN.
•
Encryption and Key Exchange
The 802.11 specification allows for data traffic between the client and access point to be encrypted
using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the
client and the network access device derive the same pair of keys—one key for broadcast and
multicast traffic from the network access device and another key for all other packets.
•
Remote Authentication Dial-In User Service (RADIUS) Servers
Network access servers (such as WLAN access points) often rely on a centralized AAA server to
authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS
server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP
packets between the authentication server and the network access server. In this case, the network
access server is a relay agent; the authentication conversation takes place between the client and the
RADIUS server. The RADIUS server informs the access point of the result of the authentication and
whether to allow the client to access the network. Other parameters might be returned as well,
including session keys for use between the client and the access point.
How LEAP Works
Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol
(MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a
random challenge to client. The client’s data encryption standard (DES) encrypts the challenge by using
an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the
client username and password.