Cisco AIR-CB21AG-W-K9 Configuration Guide - Page 71

Overview of LEAP, How LEAP Works

Get Cisco AIR-CB21AG-W-K9 PDF manuals and user guides View all Cisco AIR-CB21AG-W-K9 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 71 highlights

Chapter 3 Configuring EAP Types Overview of LEAP Overview of LEAP Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are networks (WLANs). Important features of LEAP include the following: • Mutual authentication between the network infrastructure and the user. • Secure derivation of random, user-specific cryptographic session keys. • Compatibility with existing and widespread network authentication mechanisms (for example, RADIUS). • Computational speed. Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards. Cisco LEAP relies on the following: • Extensible Authentication Protocol (EAP) EAP was originally designed to provide an framework so that new authentication methods could be introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication protocols had to be defined to create new authentication methods. However, with EAP, new authentication types simply require the definition of a new EAP type. A new EAP type comprises a set of set of EAP request and response messages and their associated semantics. • Extensible Authentication Protocol over LAN (EAPOL) Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP. The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in Ethernet packets so that they can be transmitted over a LAN. • Encryption and Key Exchange The 802.11 specification allows for data traffic between the client and access point to be encrypted using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the client and the network access device derive the same pair of keys-one key for broadcast and multicast traffic from the network access device and another key for all other packets. • Remote Authentication Dial-In User Service (RADIUS) Servers Network access servers (such as WLAN access points) often rely on a centralized AAA server to authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP packets between the authentication server and the network access server. In this case, the network access server is a relay agent; the authentication conversation takes place between the client and the RADIUS server. The RADIUS server informs the access point of the result of the authentication and whether to allow the client to access the network. Other parameters might be returned as well, including session keys for use between the client and the access point. How LEAP Works Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a random challenge to client. The client's data encryption standard (DES) encrypts the challenge by using an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the client username and password. Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista OL-16534-01 3-17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
3-17
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 3
Configuring EAP Types
Overview of LEAP
Overview of LEAP
Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are
networks (WLANs). Important features of LEAP include the following:
Mutual authentication between the network infrastructure and the user.
Secure derivation of random, user-specific cryptographic session keys.
Compatibility with existing and widespread network authentication mechanisms (for example,
RADIUS).
Computational speed.
Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards.
Cisco LEAP relies on the following:
Extensible Authentication Protocol (EAP)
EAP was originally designed to provide an framework so that new authentication methods could be
introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication
protocols had to be defined to create new authentication methods. However, with EAP, new
authentication types simply require the definition of a new EAP type. A new EAP type comprises a
set of set of EAP request and response messages and their associated semantics.
Extensible Authentication Protocol over LAN (EAPOL)
Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most
types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP.
The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in
Ethernet packets so that they can be transmitted over a LAN.
Encryption and Key Exchange
The 802.11 specification allows for data traffic between the client and access point to be encrypted
using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the
client and the network access device derive the same pair of keys—one key for broadcast and
multicast traffic from the network access device and another key for all other packets.
Remote Authentication Dial-In User Service (RADIUS) Servers
Network access servers (such as WLAN access points) often rely on a centralized AAA server to
authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS
server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP
packets between the authentication server and the network access server. In this case, the network
access server is a relay agent; the authentication conversation takes place between the client and the
RADIUS server. The RADIUS server informs the access point of the result of the authentication and
whether to allow the client to access the network. Other parameters might be returned as well,
including session keys for use between the client and the access point.
How LEAP Works
Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol
(MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a
random challenge to client. The client’s data encryption standard (DES) encrypts the challenge by using
an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the
client username and password.