Freeradius and Cisco LEAP

nbk · 25th April 2003, 11:39 PM

I know there are many folks out there who simply denounce Cisco's LEAP authentication/encryption as being an expensive proprietary waste of resources, but things have now changed...

FreeRadius now includes support for LEAP authentication (inc in the latest CVS).

I'll do a proper write up and howto soon, but briefly:

Client: RH9 with Cisco LMC342 stuck in a Ricoh cradle. Latest firmware and ACU client software.
Accesspoint: Cisco AP352E2R (Ruggedised, PoE), latest firmware (brand new out of box).
Server: RH9 with latest FreeRadius.

Configured radius with ordinary client/user/conf settings, making sure that LEAP was the default EAP authentication method and that it was authorised to accept.

Set up the client for LEAP authentication. WEP is enabled by default when using EAP for obvious reasons.

Configured AP to use radius server for EAP authentication and accounting. EAP auth only (meaning that clients must use EAP or get booted).

Now with LEAP enabled and the client successfully authenticating, the keys are exchanged approximately every 30 seconds - try and hack that

The AP's association table looks like:

Code:

 350 Series AP   test    192.168.0.20   xxxxmacxxxxx               
 PC4800B Client   Testclient    192.168.0.50   xxxxmacxxxxx        EAP Assoc   [self]

Will do the rest this weekend. Lots more to investigate, things like VLANs, group auth, relms are now more possible for no cost (other than the hardware).

25th April 2003, 11:39 PM	#1
nbk Member Join Date: Aug 2001 Location: Nambour Posts: 2,178	Freeradius and Cisco LEAP I know there are many folks out there who simply denounce Cisco's LEAP authentication/encryption as being an expensive proprietary waste of resources, but things have now changed... FreeRadius now includes support for LEAP authentication (inc in the latest CVS). I'll do a proper write up and howto soon, but briefly: Client: RH9 with Cisco LMC342 stuck in a Ricoh cradle. Latest firmware and ACU client software. Accesspoint: Cisco AP352E2R (Ruggedised, PoE), latest firmware (brand new out of box). Server: RH9 with latest FreeRadius. Configured radius with ordinary client/user/conf settings, making sure that LEAP was the default EAP authentication method and that it was authorised to accept. Set up the client for LEAP authentication. WEP is enabled by default when using EAP for obvious reasons. Configured AP to use radius server for EAP authentication and accounting. EAP auth only (meaning that clients must use EAP or get booted). Now with LEAP enabled and the client successfully authenticating, the keys are exchanged approximately every 30 seconds - try and hack that The AP's association table looks like: Code: 350 Series AP test 192.168.0.20 xxxxmacxxxxx PC4800B Client Testclient 192.168.0.50 xxxxmacxxxxx EAP Assoc [self] Will do the rest this weekend. Lots more to investigate, things like VLANs, group auth, relms are now more possible for no cost (other than the hardware).