[NBLUG/talk] WiFi and Cisco LEAP
srj at adnd.com
Thu Jun 3 08:24:34 PDT 2004
Hello NBLUG'ers =),
I was wondering, if anyone knew of a WiFi PCMCIA card that
worked well with Linux, and also supported the CISCO LEAP protocol?
I currently have a linksys card, but from what I have read it does not
support LEAP. I also get the impression LEAP is supported at the hardware
level and is not something that can be written into a driver.. At least,
thats the impression I get.. I could be wrong =)
Anyone have any experience with this?
P.S. In case you are wondering this is what LEAP is
What is LEAP?
LEAP (Lightweight Extensible Authentication Protocol) is a security scheme
devised by CISCO System. Based on the 802.1x authentication framework,
LEAP mitigates several of the weaknesses
by utilizing dynamic WEP and sophisticated key management. In addition,
it also incoroprated MAC address authentication as well. In short a
LEAP installation would perform:
* Mutual authentication - mutual authentication instead of a one-way
authentication. LEAP ensures mutual authentication between a wireless
client and a back end RADIUS server. Communication between the AP and the
RADIUS server is via secure channel. This eliminates âman-in-the-middle
attacksâ by rogue APs
* Secure key deviration - A shared secret key is used to construct
responses to the mutual challenges.It undergoes irreversible one-way hashes
that make password replay attack impossible. It is important to note that
the hash value is used once only, and never after.
* Dynamic WEP keys - LEAP offers
hassel-free, dynamic per-user, per-session WEP key (128 bit).
With LEAP, session key are unique to the users and not shared among them.
Also, the broadcast WEP key is encrypted using the session key
before delivered to the end client. By tying LEAP with network logon,
we will also eliminate vulnerbilities due to stolen or lost cards.
* Re-Authentication policies - This will force the clients
to re-authenticate with a new session keys. Since the windows can
be configured to be very small, we can minimized attacks where traffic
is injected (by hackers) during the session. Note that all this happens
on the background, thus client would experience no perceptible change
on his machine.
* Initialization Vector (IV) changes - The IV is changed on a
per-packet basis. There is no predetermined sequence to exploit.
This couples with dynamic WEP keys make it very difficult to
create table-based attacks using the knowledge of the IV's seen on the
"Knowing others is wisdom, knowing your self is Enlightenment."
More information about the talk