Re: [Aironet] LEAP security
Status: Inactive
Brought to you by:
breed
From: <lo...@pe...> - 2001-07-09 13:40:03
|
Forgive me for interjecting, but I'd like to ask a few other questions about your needs with regards to wireless networks. Is your goal to simply limit who can associate to the ESS/BSS? Is your goal to, once a association is completed successfully, provide link-level security? ---- Also, on an unrelated note, I would like to ask this list what they think about the following theory. If a 802.11 client device is authenticating via LEAP or EAP (rather, being allowed an association because of..), what are the chances of another user taking on the 'identity' (read: MAC address, IP address (if IP is being used), and Radio ID) of a user who just authenticated? Lets say they were opperating in Adhoc mode, and could opperate allongside transparently, or, continue opperating after the 'real' client's computer was turned off. Any thoughts on what would happen? It would seem to me that durring the course of normal use, client devices may roam into an area which has such poor coverage they associate & deassociate due to excessive CRC errors or failed attempts at retransmissions. Clients can't be expected to continualy re-authenticate just to reassociate all the time. So, in the case of LEAP or EAP I would presume that there is some sort of 'cached' user/password data which can be re-sent by some means (driver, script?) whenever the card de/re-associates.. Or at least some sort of CHAP-style reoccuring password hash exchange going on after the initial granting of an association. If that's the case, could not our rouge client device capture (assuming the station could hear the transmission) that hash-exchange and replay it on demand if the station were to 'impersonate' the real station after the initial association? TIA for any replies/thoughts! -Lostxam On Fri, 6 Jul 2001, Doug Wilson wrote: > you might be right; I can't find anything that says LEAP works with > Microsoft RADIUS. > > We would like to make a call on whether LEAP is secure enough. I have not > been able to find third party reviews evaluating LEAP from a security > perspective. If you have any information on LEAP security , pls send it to > me. > > Someone on this mailing list mentioned that LEAP is MSCHAP. Is it MSCHAPv1 > or MSCHAPv2?. Any protocol details? > > Thanks, > > Doug Wilson > > > ----- Original Message ----- > From: "Mark Wilson" <ma...@st...> > To: "Doug Wilson" <dou...@ho...> > Cc: <ai...@en...> > Sent: Wednesday, July 04, 2001 10:13 AM > Subject: Re: [Aironet] LEAP security > > > > On Wed, 4 Jul 2001, Doug Wilson wrote: > > > > > Hi everyone, > > > > > > I am planning to test Cisco Aironet Wireless 802.1x solution with LEAP. > > > We are using Microsoft's Windows 2000 RADIUS server for VPN and it > > > supports EAP-MD5 & EAP-TLS. Will LEAP work with Microsoft's RADIUS > server? > > > > > > Thank you > > > > > > Doug Wilson > > > > > > > I don't believe so. So far, I have only got it to work with the Cisco > > ACS. But, if you do we would be interested. > > > > > > Mark Wilson > > Sr. Network Analyst > > Communications and Technology Services (CATS) > > UC Santa Cruz - Santa Cruz, Ca. 95064 > > 831.459.3675 > > Just a Cruzin...... > > > > > _______________________________________________ > Aironet mailing list - Ai...@cs... > http://csl.cse.ucsc.edu/mailman/listinfo/aironet > |