How to enable LEAP
The Cisco Light Extensible Authentication Protocol (LEAP) provides strong, easy to deploy, and easy to administer wireless security. Cisco offers third-party Network Interface Card (NIC) support and RADIUS support to allow customers to use their existing investments in wireless clients, as well as existing RADIUS servers.
LEAP is only supported on client adapters that support Wired Equivalent Privacy (WEP) and use either the Pulse Code Modulation (PCM), LMC, or PCI cards with firmware version 4.13 or later, or mini PCI card firmware version 5.0 or later. To use LEAP, your client adapter and Access Point (AP) firmware must have matching IEEE 802.1x draft standards.
If the AP uses draft 8 firmware earlier than 11.06 or has draft 8 selected, the client adapter must use draft 8 firmware earlier than 4.25.x. Similarly, if the AP uses draft 10 firmware 11.06 or later, and has draft 10 selected, the client adapter must use draft 10 firmware 4.25.x or later. Mini PCI card firmware was first released in draft 10.
Before implementing a LEAP solution, network administrators should refer to the 802.11 Wireless LAN Security White Paper.
Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. These are some characteristics of strong passwords:
Before you can enable LEAP authentication, your network devices must meet the following requirements:
Follow the steps below to enable LEAP authentication for this profile.
Step 1 Select LEAP from the Network Security Type drop-down box on the bottom of the Network Security screen.
The LEAP option is available only if you selected the LEAP security module during installation.
When you select this option, dynamic WEP is set automatically.
Step 2 Click Configure to the right of the Network Security Type drop-down box. The LEAP Settings screen appears (see Figure).
Step 3 Select one of the following LEAP username and password setting options:
•Use Temporary User Name and Password—Requires you to enter the LEAP username and password each time the computer reboots in order to authenticate and gain access to the network.
•Use Saved User Name and Password—Does not require you to enter a LEAP username and password each time the computer reboots. Authentication occurs automatically as needed using a saved username and password (which are registered with the RADIUS server).
Note The Use Saved User Name and Password option is available only if the Allow Saved LEAP User Name and Password option was enabled (set to Yes) during installation.
Step 4 Perform one of the following:
•If you selected Use Temporary User Name and Password in Step 3, select one of the following options:
–Use Windows User Name and Password—Causes your Windows username and password to also serve as your LEAP username and password, giving you only one set of credentials to remember. After you log in, the LEAP authentication process begins automatically. This option is the default setting.
–Automatically Prompt for LEAP User Name and Password—Requires you to enter a separate LEAP username and password (which are registered with the RADIUS server) in addition to your regular Windows login in order to start the LEAP authentication process.
–Manually Prompt for LEAP User Name and Password—Requires you to manually invoke the LEAP authentication process as needed using the Manual LEAP Login option from the Commands drop-down menu. You are not prompted to enter a LEAP username and password during the Windows login. This option might be used to support a software token one-time password system or other systems that require additional software that is not available at login.
•If you selected Use Saved User Name and Password in Step 3, follow the steps below:
Note- Usernames and passwords are limited to 32 ASCII characters each. However, if a domain name is entered in the Domain field, the sum of the username and domain name is limited to 31 ASCII characters.
b.Re-enter the password in the Confirm Password field.
Step 5 If you work in an environment with multiple domains and, therefore, want your Windows login domain to be passed to the RADIUS server along with your username, check the Include Windows Logon Domain with User Name check box. The default setting is checked.
If you selected to use a saved username and password but do not check the Include Windows Logon Domain with User Name check box, the Domain field becomes unavailable, and a domain name is not passed to the RADIUS server.
Step 6 If you want to force the client adapter to disassociate after you log off so that another user cannot gain access to the wireless network using your credentials, check the No Network Connection Unless User Is Logged In check box. The default setting is checked.
Step 7 In the LEAP Authentication Timeout Value field, enter the amount of time (in seconds) before a LEAP authentication is considered to be failed and an error message appears.
Range: 45 to 300 seconds
Default: 90 seconds
Step 8 Click OK to exit the LEAP Settings screen.
Step 9 Click OK to exit the Network Security screen and return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.
Step 10 Refer to Chapter 6, for instructions on authenticating using LEAP.
Configure / Configuration issues
WLAN adapters (wireless card) / ACU (Aironet Client Utility)