The vulnerability of LEAP

aonibala · ‎03-21-2003

In spite of the remarkable LEAP security features (dynamic WEP, TKIP, MIC), it still has one weakness: RADIUS authentication. RADIUS encrypts the password only, while the username is in clear text. Be aware that many WLAN tools can detect and display the username quickly. The only way to mitigate it is to enforce lengthy and complex password policy in order to prevent dictionary attack. The current ACS 3.1 does not have this feature, so one must use Windows2000 or LDAP authentication in order to implement this password policy.

Cisco promised that TACACS+ will replace RADIUS for LEAP. It will be a significant improvement since TACACS+ encrypts both username and password. The question is when? I hope it will be soon.

Audie

ndoshi · ‎03-22-2003

Hi

One more precaution you can take is - have the user policy that if password is entered wrong 3 times , user account gets locked .

Nilesh

aonibala · ‎03-24-2003

Nilesh,

It is ok to setup the account lock policy if you have only few dozen of users. Think when you have thousands! I wish this policy can be set in the ACS group. So you do it once for thousand users, instead of thousand times for thousand users where human error will happen. Will future ACS have this feature?

Furthermore, giving out username format to the enemy means one less barrier to break. Given the WLAN security characteristics, the more barriers translate to better security.

Audie

travis-dennis_2 · ‎03-24-2003

I just wanted to get on the record and agree with Audie that with everything LEAP offers on the security side it was a big let down to still have the username sent in cleartext. As Audie stated, someone can easily snatch the user name. That plus a dictionary/brute force hack of the password and they are in. Strong password policies help reduce this threat but not eliminate it. I trust Cisco is working hard to overcome this ASAP.

my 2 cents

aonibala · ‎07-21-2003

I just attended the seminar sponsored by AirDefense and FortressTech. They made fun of LEAP as being one layer protection: PASSWORD ONLY.

The world knows now, so Cisco better fix this PR problem quick.

:-) Audie

verdann · ‎07-21-2003

LEAP has always been a rather large question for me in terms of security - I'm quite suprised that some enterprising little security group hasn't released a tool yet that just grabs the CHAP hashes and automatically runs it though l0phtcrack. What I see as an even bigger problem to LEAP is that once the username and hash has been collected, an attacker has all the time in the world to brute force at his convenience, and will then not only have access to wireless, but to all of the users windows domain applications/email/network permissions. I'm definitely a fan of eap-tls at the moment for the best security, given the unaddressed problems regarding tunneled man-in-the-middle attacks directed toward PEAP. Its not a PR problem - spin won't make the technicalities of it go away. Administrators just need to see LEAP for what it is, a pre-802.1x draft implentation that at the time was a great stop-gap measure to protect wireless networks at a time when the best thing available was WEP (and we all know how wonderful that was). I think that trying to get LEAP to evolve would be a waste of time, move on to new authentication measures. - mike