Much has been written about ways to secure your wireless network. Although basic Wired Equivalent Privacy (WEP) was originally the answer, it didn’t take security experts long to figure out that WEP has its weaknesses. With basic WEP now discredited, the IEEE has worked aggressively to ratify the latest standards in wireless security. But if you’re running a Cisco wireless network, you already have what you need to implement the most secure wireless networks available today.
What is Cisco LEAP?
Cisco LEAP is based on the 802.1x standard ratified by the IEEE in July 2001. 802.1x deals withthe authentication process for association of wireless clients to an access point via the use of a supporting authentication server. The 802.1x authentication process uses the Extensible Authentication Protocol (EAP) between the wireless client and the authentication server.
When looking at the bigger picture, the process is rather simple. A wireless client associates to an access point. The access point blocks all user requests to access the LAN, at which time the user provides login authentication credentials. The wireless access point then sends the authentication request to a RADIUS server. The RADIUS server examines the request and either consults its internal database or proxies the request to another server. If access is authenticated, the RADIUS server and client derive a Unicast WEP key that is used for transmission.
Undoubtedly, in an effort to keep recent flaws in wireless security from slowing a growing market, Cisco introduced its version of 802.1x and EAP before it achieved full ratification by the IEEE. Cisco’s nonstandard version, called Lightweight EAP (LEAP), is an authentication algorithm that leverages the 802.1x authentication framework but functions as Cisco’s proprietary lightweight implementation of EAP.
Cisco LEAP provides for dynamic per-user, per-session WEP keys every time the user authenticates to use the wireless network. WEP key timeout settings can force reauthentication, resulting in the creation of a new WEP key for even existing sessions. By setting the WEP key timeout, the wireless session will change fast enough to prevent sniffing of packets in an effort to derive the key.
Cisco’s LEAP is distinguished by the fact that it is based on mutual authentication, meaning both the user and the access point must be authenticated before access to the LAN is allowed. Mutual authentication can help protect wireless networks from rogue access points, man-in-the-middle attacks, sniffing attacks, and active attacks. Cisco’s LEAP still uses a RADIUS to control both devices and users that are allowed access to the wireless network. The RADIUS server can use the backend directories of Windows NT, Active Directory, ODBC, or better yet, Cisco’s Secure Access Control Server.
Requirements and implementation
In general, the requirements of implementing a wireless environment based on EAP are straightforward. The client wireless network adaptors must be compatible with the 802.1x standard. The client access software must also be capable of supporting EAP. Wireless APs must also be compatible with EAP.
If you are running an end-to-end Cisco wireless network, it’s safe to say that you have all the requirements necessary to implement LEAP in your environment, save a few firmware upgrades. Clients associating to APs must run the correct version of firmware to interoperate with the Cisco LEAP-enabled APs. Any Aironet 340 or 350 Series NIC will need to be running a firmware version no later than v4.25.10, coupled with the recommended Aironet Client Utility v5.01.
Both the Cisco Aironet 340 and 350 Series Access Points running at least firmware version 11.05a are supported. The 350 Series Wireless Bridges running firmware version 11.10T1 are also ready for LEAP. The Aironet 340 and 350 Series Workgroup Bridges require firmware v8.65. Cisco recommends that all access points run the same firmware version before implementing LEAP. Ideally, Cisco Access Control Server is also recommended as the RADIUS server.
In general, three steps are necessary to set up LEAP for your Cisco wireless environment. First, you need to add all participating access points to the Cisco Access Control Server (or you need to set them up on a RADIUS server running on another platform). This is where you specify the reauthentication option. The Cisco LEAP algorithm uses this option to expire the current WEP session key for the user and issue a new WEP session key. It is important to note that reauthentication is disabled by default.
Second, you must enable Cisco LEAP on the actual root bridge or access point. Third, you should configure all wireless clients for LEAP by specifying the appropriate SSID and security settings using the Cisco Aironet Client utility. Remember, this is an overview. More in-depth information on implementing LEAP is available in this Cisco white paper on WLAN security.
Cisco successfully met client demands for a more secure wireless solution soon after the WEP vulnerability came to light. However, its proprietary solution requires the use of Cisco adapters, access points, and RADIUS servers. Knowing that the possibility of LEAP becoming an industry standard was in jeopardy due to its reliance on Cisco hardware, Cisco has now taken the steps to license LEAP to third-party vendors.
At the same time, the IEEE Task Force is hard at work trying to replace WEP with a more secure wireless protocol called TKIP (Temporal Key Integrity Protocol). TKIP is backward-compatible with current access points and wireless cards, and requires only a software upgrade. Whatever changes are coming, one thing is sure: Cisco LEAP currently provides one of the most effective methods for securing wireless networks.