This document answers questions about Cisco LEAP an Extensible Authentication Protocol type from Cisco Systems®.
Q. What is Cisco® LEAP?
A. Cisco LEAP is an 802.1X authentication type for wireless LANs (WLANs) that supports strong mutual authentication between the client and a RADIUS server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys.
Q. Is Cisco LEAP supported by Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)?
A. Yes. Like all EAP types, Cisco LEAP can be used with WPA and WPA2 networks.
Q. Is Cisco LEAP included with all Cisco wireless products, Cisco Aironet products, and Cisco Compatible client devices?
A. Yes. Cisco LEAP is included, at no additional cost, with all Cisco wireless products, Cisco Aironet products, and Cisco Compatible client devices including Cisco Aironet autonomous and lightweight access points and Cisco wireless LAN controllers.
Q. Is Cisco LEAP a standard?
A. Cisco LEAP takes advantage of the standard 802.1X framework. Cisco was the pioneer in introducing Extensible Authentication Protocol (EAP) support for WLANs at a time when none of the existing client operating systems provided EAP support. Cisco introduced Cisco LEAP in December 2000 as a way to quickly improve the overall security of WLAN authentication.
Q. Is Cisco LEAP supported by the Cisco Unified Wireless Network?
A. The Cisco Unified Wireless Network is the industry's only unified wired and wireless solution to cost-effectively address the WLAN security, deployment, management, and control issues facing enterprises. This powerful solution combines the best elements of wireless and wired networking to deliver scalable, manageable, and secure WLANs with a low total cost of ownership. It includes innovative RF capabilities that enable real-time access to core business applications and provides proven enterprise-class secure connectivity. The Cisco Unified Wireless Network delivers the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations expect from their wired LANs.
The Cisco Unified Wireless Network supports an enterprise-ready, standards-based, wireless security solution that gives network administrators' confidence that their data will remain private and secure when they use Cisco wireless products, Cisco Aironet Series products, Cisco Compatible Extensions products or Wi-Fi Certified WLAN client devices. This enterprise-class wireless security solution supports robust wireless LAN security services that closely parallel the security available in a wired LAN. It fulfills the need for consistent, reliable, and secure mobile networking by delivering industry-leading WLAN security services. It mitigates sophisticated passive and active WLAN attacks, interoperates with a range of client devices and provides reliable, scalable, centralized security management. The Cisco Unified Wireless Network allows network administrators to deploy large-scale enterprise WLANs with scalable problem-free security administration that does not increase the burden on the IT staff.
FEATURES AND BENEFITS
Q. What are the security benefits of Cisco LEAP?
A. Cisco LEAP overcomes the major limitations of 802.11 wireless security through extensible authentication support to other back-end directories (Windows NT, Windows Active Directory, and Open Database Connectivity [ODBC]) or to Cisco LEAP proxy RADIUS servers such as Cisco Secure Access Control Server (ACS) and Cisco Network Registrar®.
Q. What are the enterprise benefits of Cisco LEAP?
A. Cisco LEAP is a widely deployed, market-proven component of the Cisco Unified Wireless Network. It is available with numerous client adapter types, including application-specific devices (ASDs), from Cisco, Cisco Compatible Extensions partners, and numerous client device and network interface card (NIC) manufacturers. Cisco LEAP provides:
• True single login with an existing user name and password using Windows NT/2000 Active Directory
• Simplified, inexpensive deployment and administration for IT managers
• Dynamic privacy protection when used in conjunction with Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES)
Q. How does Cisco LEAP authentication work?
A. A wireless client needs to be authenticated by a RADIUS server, and can only transmit EAP traffic until it is authenticated. After end-user login, mutual authentication between the client and the RADIUS server occurs. A dynamic encryption key is derived during this mutual authentication at the client and the RADIUS server. The RADIUS server sends the dynamic encryption key to the access point via a secure channel. After the access point receives the key, regular network traffic forwarding is enabled at the access point for the authenticated client. The credentials used for authentication, such as a login password, are never transmitted over the wireless medium without encryption. Upon client logoff, the client association entry in the access point returns to the nonauthenticated mode.
Q. What client operating systems does Cisco LEAP support?
A. Cisco LEAP supports numerous client operating systems, including Microsoft Windows, Mac OS, Linux, DOS, and Windows CE.
Q. What RADIUS servers and user databases does Cisco LEAP support?
A. Cisco LEAP supports the following RADIUS servers and user databases: Cisco Secure ACS, Cisco Network Registrar, Funk Odyssey Server, Funk Steel-Belted, and products that use the Interlink Networks server code (such as LeapPoint appliances).
Q. What Cisco wireless devices does Cisco LEAP support?
A. Cisco LEAP supports several Cisco wireless products, including Cisco Aironet autonomous and lightweight access points, Cisco wireless LAN controllers, workgroup bridges, wireless bridges, and repeaters, and many Cisco and Cisco Compatible WLAN client devices.
Q. Is Cisco LEAP authentication available on wireless clients from vendors other than Cisco?
A. Yes. Fast secure roaming is supported by Cisco Aironet Series access points in conjunction with Cisco and Cisco Compatible client devices. With fast secure roaming, authenticated client devices can roam securely from one access point to another without any perceptible delay during reassociation. Fast secure roaming supports latency-sensitive applications such as wireless voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
Q. Does Cisco LEAP support WAN link remote site survivability?
A. Yes. Cisco LEAP supports IEEE 802.1X Local Authentication Service also called remote site survivability. This feature is enabled via a Cisco Aironet autonomous access point's IEEE 802.1X local authentication service. With IEEE 802.1X local authentication service, Cisco Aironet autonomous access points are configured to act as a local authentication server to authenticate wireless clients when the authentication, authorization, and accounting (AAA) server is not available. This provides secure authentication services for remote or branch-office WLANs without a RADIUS server and provides backup authentication services for access to local resources, such as file servers or printers, during a WAN link or server failure.
Q. Where can I learn more about deploying secure WLANs?
A. Please read the following documents to learn more about deploying secure WLANs: