Cisco Systems ASA5515K9, ASA 5500 Configuring LEAP Bypass, Enabling Network Extension Mode

67-55

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

Note You must configure mac-exempt to exempt the clients from authentication. Refer to the

“Configuring Device Pass-Through” section on page71-8 for more information.

Configuring LEAP Bypass

When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware

client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco

wireless access point devices establish LEAP authentication and then authenticate again per user

authentication. LEAP Bypass is disabled by default.

To allow LEAP packets from Cisco wireless access points to bypass individual users authentication,

enter the leap-bypass command with the enable keyword in group-policy configuration mode. To

disable LEAP Bypass, enter the disable keyword. To remove the LEAP Bypass attribute from the

running configuration, enter the no form of this command. This option allows inheritance of a value for

LEAP Bypass from another group policy:

hostname(config-group-policy)# leap-bypass {enable | disable}

hostname(config-group-policy)# no leap-bypass

Note IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs

with strong mutual authentication between clients and authentication servers, which can provide

dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens

and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP

(Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless

client on one side of a connection and a RADIUS server on the other side. The credentials used for

authentication, including a password, are always encrypted before they are transmitted over the wireless

medium.

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting

services.

This feature does not work as intended if you enable interactive hardware client authentication.

Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the

tunnel.

The following example shows how to set LEAP Bypass for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# leap-bypass enable

Enabling Network Extension Mode

Network extension mode lets hardware clients present a single, routable network to the remote private

network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the

hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA