Cisco Systems CB21AG, PI21AG manual Overview of LEAP, How LEAP Works, 3-17

Chapter 3 Configuring EAP Types

Overview of LEAP

Overview of LEAP

Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are networks (WLANs). Important features of LEAP include the following:

•Mutual authentication between the network infrastructure and the user.

•Secure derivation of random, user-specific cryptographic session keys.

•Compatibility with existing and widespread network authentication mechanisms (for example, RADIUS).

•Computational speed.

Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards. Cisco LEAP relies on the following:

•Extensible Authentication Protocol (EAP)

EAP was originally designed to provide an framework so that new authentication methods could be introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication protocols had to be defined to create new authentication methods. However, with EAP, new authentication types simply require the definition of a new EAP type. A new EAP type comprises a set of set of EAP request and response messages and their associated semantics.

•Extensible Authentication Protocol over LAN (EAPOL)

Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP. The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in Ethernet packets so that they can be transmitted over a LAN.

•Encryption and Key Exchange

The 802.11 specification allows for data traffic between the client and access point to be encrypted using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the client and the network access device derive the same pair of keys—one key for broadcast and multicast traffic from the network access device and another key for all other packets.

•Remote Authentication Dial-In User Service (RADIUS) Servers

Network access servers (such as WLAN access points) often rely on a centralized AAA server to authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP packets between the authentication server and the network access server. In this case, the network access server is a relay agent; the authentication conversation takes place between the client and the RADIUS server. The RADIUS server informs the access point of the result of the authentication and whether to allow the client to access the network. Other parameters might be returned as well, including session keys for use between the client and the access point.

How LEAP Works

Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a random challenge to client. The client’s data encryption standard (DES) encrypts the challenge by using an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the client username and password.

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista