Skip Links

Will Microsoft take the LEAP?

Wireless Wizards By The Wireless Wizards,
April 12, 2004 12:02 AM ET - Q: Where is LEAP and PEAP going in the wireless world? Do you think LEAP will ever be a choice in the Microsoft environment, or will we always use a third party to implement LEAP? We are beginning to implement a wireless policy, and don't know which authentication method would be better. Penni, Johnson City, Tenn.

The Wizards reply:

Dan Simone, Trapeze Networks:

Cisco’s proprietary LEAP protocol gained traction when the industry had only a poor selection of authentication and encryption techniques from which to choose. At the time, LEAP provided a technical advantage over static WEP, for example. However, with the availability of 802.1x and dynamic encryption protocols such as dynamic WEP and TKIP, LEAP no longer provides any advantage.

On the contrary, the industry has become well aware of serious security vulnerabilities in LEAP. For instance, it’s well documented that LEAP is easily subjected to brute-force password attacks. LEAP has the added disadvantage of locking customers into a proprietary authentication technique that restricts vendor choice for both client equipment and infrastructure.

PEAP, on the other hand, has rapidly emerged as the authentication method of choice. Among its advantages is its status as an industry standard, and that it can be implemented without unique client certificates yet still provides strong mutual authentication over an encrypted channel. PEAP does require the use of strong passwords, such as mixing upper case and lower case, including punctuation, and avoiding words that are in a dictionary. In addition, PEAP has the added convenience of being built into leading desktop platforms Windows XP and 2000.

For customers selecting an authentication method that will have strong staying power in the industry yet is easily administrated, PEAP is your best alternative.

Albert Lew, Legra Systems:

Joshua Wright at the SANS Institute discovered a vulnerability with LEAP that allows passwords to be broken on average in less than two minutes. Cisco is aware of this vulnerability, and as a result has proposed a new authentication mechanism called EAP FAST (Flexible Authentication via Secure Tunneling). FAST essentially creates a protected EAP tunnel similar to PEAP without the need for certificates. Cisco's FAST protocol has been submitted to the IETF in draft form, and will be available in the fall with Cisco ACS RADIUS servers, Cisco client cards, and non-Cisco client cards that support Cisco CCX extensions. Unlike LEAP and FAST, PEAP has had much more time to be analyzed by the security community, which has not found any significant vulnerabilities to date. PEAP has an advantage over both FAST and LEAP from a security standpoint in that certificates are used to validate the server, and certificates can be optionally be used to validate identity of the client. Also, PEAP has a broader range of support options on both the client side and server side. Your choice depends upon your security requirements and what existing infrastructure you already have in place.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News