cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1248
Views
0
Helpful
5
Replies

Cisco LEAP/Dynamic WEP Question:

RayDMays
Level 1
Level 1

I have implemented a Cisco Wireless LAN with Cisco Aironet 350 Series AP's and Radio Cards. We were concerned about the issues with Static WEP and have implemented a Cisco Secure ACS Radius Server to provide Dynamic WEP (Leap enabled on the Clients). This Radius Server authenticates users by comparing their Login Credentials to an NT User Group setup for Wireless Users. If the User is in the Wireless Group, the Radius Server will auththenticate them and give them access to the Wireless Network. This is Cisco's preferred method to deal with the Security Issues of Static WEP.

Now for some questions:

In Sniffing the traffic during the Wireless Authentication I notice that the User Name and NT Domain information are "In the Clear". Assuming that someone is Sniffing this traffic, the only additional thing they will need is the Users Password, and they could potentially get access to the WLAN. How is the NT Password encrypted when it is sent to the Authenticating RADIUS (Cisco ACS) Server? Also, if someone captures enough data through the day of one user session, what's to prevent them from Brute Forcing the WEP Key with various tools that are available now to do this (http://airsnort.sourceforge.net/)? If they captured enough traffic, and they derive the Dynamic WEP Key, they could then parse through all the Captured Data unencrypted as they now have the Dynamic Session based WEP. With that, if the user logged into any other NT Servers Etc.. during their session, isn't it conceivable that the Hacker will now have the Users NT Password HASH? Once they have that and Brute Force it, they will have all the information they need to LEAP Authenticate. So LEAP is only as safe as the NT UserID and Password?

Any one have any thoughts on this?

Thanks,

Ray

5 Replies 5

bradyrf
Level 1
Level 1

Email me Id like to talk to you offline about this.

James Strong
Level 1
Level 1

The Dynamic WEP key is just that, dynamic. Every time you roam to a different AP or re-associate, you get a new dynamically generated WEP key. So, unless you only have one AP, and have your client radio set to CAM (constantly awake mode), you will be changing your WEP key quite often. When you are using LEAP or EAP, the WEP key that you enter in the CEM is used at initial association, and for multicast only.

You do not have to enter a WEP key in the CEM when using LEAP. The WEP key is entered only in the AP for broadcast(/multicas?) traffic only.

According to the research I've done, and the people I've talked to at Cisco, your Dynamaic WEP key is not as Dynamic as that. First off, the Cisco ACS server is the system that creates and hands the AP your Dynamic WEP key. You only re-authenticate to the Cisco ACS Server when you log off and log back on right?

I already understand that WEP Key 1 is used soley for Multicast information, that WEP Key is not my issue, I'm concerned about the ability to sniff large amounts of data and then decode offline by deriving the Dynamic WEP key that was used for the session.

So I guess the real issue here is I need solid information on how often the Dynamic WEP Key is changed.

Can anyone point me to information about this?

Thanks for your input on this, I think it's important for everyone to consider the ramifications of security, and how it plays out even with Dynamic WEP. My team is going to an Executive briefing at Cisco tomorrow, that will be talking about futures of Wireless, (including LEAP2) so we may get more informaion there too.

Thanks,

Ray

Alright, according to Bruce Alexander in today's Wireless Seminar:

Dynamic WEP that is session based, and be changed by an interval that is set in the Cisco Secure ACS Server. This can be set to any number of minutes you would like, and Cisco recommends 8-10 minutes. Also like JPStrong stated, when you roam to any other AP your Dynamic WEP key will change. These changes are seamless to the user, they do not need to re-authenticate to get the new key.

The option in Cisco Secure ACS is noted from the Q&A of the seminar:

There is an option (option 27) listed on the ACS server listed under group setting which allows the sys admin to edit the amount of time before users will get a new session key (keep in mind the time is in seconds). That session key will be changed during a session when the timeout value is reached.

Thanks for the dialogue, I'm more satisfied with Dynamic WEP now that I can control the time limit of the session based key.

Ray

Review Cisco Networking for a $25 gift card