Cisco Systems, Inc. has developed the Lightweight Extensible Authentication
Protocol (LEAP), sometimes known as “EAP-Cisco Wireless”. LEAP provides two
important security features.
Protocol (LEAP), sometimes known as “EAP-Cisco Wireless”. LEAP provides two
important security features.
Mutual Authentication Between Station and Access Point
LEAP requires the mutual authentication between stations and access points. This
allows a connecting station to verify the identity of the access point with which it is
attempting to associate. At the same time, the access point must verify the identity
of the station. The station must present a username and password that will be
verified by a LEAP-capable RADIUS server such as the Interlink Networks RADSeries
AAA Server. This mutual authentication ensures that only authorized users
are allowed access to the network while preventing hijacking of legitimate user
sessions by rogue access points. Mutual authentication is a great improvement over
the one-way authentication described above.
LEAP requires the mutual authentication between stations and access points. This
allows a connecting station to verify the identity of the access point with which it is
attempting to associate. At the same time, the access point must verify the identity
of the station. The station must present a username and password that will be
verified by a LEAP-capable RADIUS server such as the Interlink Networks RADSeries
AAA Server. This mutual authentication ensures that only authorized users
are allowed access to the network while preventing hijacking of legitimate user
sessions by rogue access points. Mutual authentication is a great improvement over
the one-way authentication described above.
Distribution of WEP Keys on a Per-session Basis
Upon successful authentication, the LEAP algorithm dynamically generates a
unique WEP session key. Both the RAD-Series AAA Server and the Cisco Aironet
Network Interface or Cisco Aironet Wireless LAN Adapter independently generate
this key. This means that the key is not transmitted through the air where it could be
intercepted. The use of per-session WEP keys greatly reduces the possibility of a
WEP key being discovered. In the unlikely event that the key is discovered, it is of
no use once the current session is over. This greatly decreases the WEP key
vulnerability described above.
Using Cisco’s LEAP fills two noteworthy WLAN security holes. The Interlink
Networks RAD-Series AAA Server is the authentication server that makes LEAP
possible.
Upon successful authentication, the LEAP algorithm dynamically generates a
unique WEP session key. Both the RAD-Series AAA Server and the Cisco Aironet
Network Interface or Cisco Aironet Wireless LAN Adapter independently generate
this key. This means that the key is not transmitted through the air where it could be
intercepted. The use of per-session WEP keys greatly reduces the possibility of a
WEP key being discovered. In the unlikely event that the key is discovered, it is of
no use once the current session is over. This greatly decreases the WEP key
vulnerability described above.
Using Cisco’s LEAP fills two noteworthy WLAN security holes. The Interlink
Networks RAD-Series AAA Server is the authentication server that makes LEAP
possible.
CISCO LEAP ARCHITECTURE
There are three key components required for LEAP functionality.
LEAP Supplicant
The supplicant is the client software and firmware that authenticates to the WLAN.
The software resides on the host device with the WLAN adapter. The firmware
resides in the Cisco WLAN adapter. The LEAP supplicant can be configured to
store the username and password or to prompt for the credentials at logon time.
Storing the username and password in the supplicant may be a security risk since a
stolen device would allow access to network resources.
802.1x Authenticator
The authenticator is the software running on the access point (Cisco 340 series and
newer). The authenticator acts as a relay, forwarding the EAP messages to the
authentication server.
The authenticator is the software running on the access point (Cisco 340 series and
newer). The authenticator acts as a relay, forwarding the EAP messages to the
authentication server.
Authentication Server
The authentication server is a LEAP-enabled RADIUS server. The Interlink
Networks RAD-Series AAA server implements the LEAP authentication
mechanism. The server allows station authentication based on username and
password.
The authentication server is a LEAP-enabled RADIUS server. The Interlink
Networks RAD-Series AAA server implements the LEAP authentication
mechanism. The server allows station authentication based on username and
password.
Figure 1 – A client authenticates by using EAPOL to communicate with the Access
Point. The Access Point communicates with the AAA server using RADIUS.
No comments:
Post a Comment