Cisco Wireless EAP
The Cisco proprietary take on EAP is known as Cisco Wireless EAP.
NOTE: Cisco Wireless EAP is also known as Lightweight EAP (LEAP). However, some users
interpreted “lightweight” with a negative connotation, so Cisco opted to call it Cisco
Wireless EAP instead.
Cisco Wireless EAP provides username and password-based authentication between a
wireless client and AP, via an authentication server.
Cisco Wireless EAP server and client derive a session key, so that future frames can be
encrypted with a key different than keys used by other sessions, thus providing stronger
security. In addition, new keys are generated each time the client roams to a new AP.
Dynamic keys, a feature in all EAP implementations, address an enormous
vulnerability inherent with static encryption keys. Static keys are shared among all
stations on the WLAN. If an attacker can crack the static shared key, he can eavesdrop
on all WLAN traffic. Dynamic session keys make it more difficult for the attacker
because there is less traffic to analyze, and consequently, it reduces the potential for
finding a flaw. In addition, if the attacker is able to crack the key, the session might
already be over.
When using Cisco Wireless EAP, dynamic per-user, per-session WEP keys are
generated each time the user authenticates to the WLAN. You can strengthen security
even further by requiring WEP key timeouts, which forces re-authentication
This
generates a new WEP key, even for existing sessions. Figure 4-3 shows the Cisco
Wireless EAP process.
The Cisco Wireless EAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client provides login credentials to the RADIUS server.
4. The RADIUS server and the client authenticate each other.
5. The RADIUS server and the client derive a session key.
6. Secure communications are established between the client and the server.