Will Microsoft take the LEAP?

Q: Where is LEAP and PEAP going in the wireless world? Do you think LEAP will ever be a choice in the Microsoft environment, or will we always use a third party to implement LEAP? We are beginning to implement a wireless policy, and don’t know which authentication method would be better. Penni, Johnson City, Tenn.

The Wizards reply:

Dan Simone, Trapeze Networks:

Cisco’s proprietary LEAP protocol gained traction when the industry had only a poor selection of authentication and encryption techniques from which to choose. At the time, LEAP provided a technical advantage over static WEP, for example. However, with the availability of 802.1x and dynamic encryption protocols such as dynamic WEP and TKIP, LEAP no longer provides any advantage.

On the contrary, the industry has become well aware of serious security vulnerabilities in LEAP. For instance, it’s well documented that LEAP is easily subjected to brute-force password attacks. LEAP has the added disadvantage of locking customers into a proprietary authentication technique that restricts vendor choice for both client equipment and infrastructure.

PEAP, on the other hand, has rapidly emerged as the authentication method of choice. Among its advantages is its status as an industry standard, and that it can be implemented without unique client certificates yet still provides strong mutual authentication over an encrypted channel. PEAP does require the use of strong passwords, such as mixing upper case and lower case, including punctuation, and avoiding words that are in a dictionary. In addition, PEAP has the added convenience of being built into leading desktop platforms Windows XP and 2000.

For customers selecting an authentication method that will have strong staying power in the industry yet is easily administrated, PEAP is your best alternative.

Albert Lew, Legra Systems:

Joshua Wright at the SANS Institute discovered a vulnerability with LEAP that allows passwords to be broken on average in less than two minutes. Cisco is aware of this vulnerability, and as a result has proposed a new authentication mechanism called EAP FAST (Flexible Authentication via Secure Tunneling). FAST essentially creates a protected EAP tunnel similar to PEAP without the need for certificates. Cisco’s FAST protocol has been submitted to the IETF in draft form, and will be available in the fall with Cisco ACS RADIUS servers, Cisco client cards, and non-Cisco client cards that support Cisco CCX extensions. Unlike LEAP and FAST, PEAP has had much more time to be analyzed by the security community, which has not found any significant vulnerabilities to date. PEAP has an advantage over both FAST and LEAP from a security standpoint in that certificates are used to validate the server, and certificates can be optionally be used to validate identity of the client. Also, PEAP has a broader range of support options on both the client side and server side. Your choice depends upon your security requirements and what existing infrastructure you already have in place.

Randy Chou, Aruba Wireless Networks:

It is very unlikely that LEAP will ever be shipped by default in a Microsoft operating system. LEAP is very broken in that it requires good passwords for it to remain secure. Compared to PEAP (or any TLS variant) where the encryption key is derived from a TLS handshake using server side certificates, LEAP is both weak and is harder to manage. With the recent criticism Microsoft has received when it comes to security, it is unlikely that it would choose to add a broken wireless authentication protocol like LEAP when it already has PEAP. PEAP provides both machine and user authentication fairly transparently and comes built-in with most popular desktop operating systems, such as XP; and clients are available for almost any operating system (MacOS, PDAs,…etc). Many new wireless NIC cards also ship a PEAP client for free for legacy operating systems. So PEAP is definitely the way to go.

Marcel Wiget, Chantry Networks:

Cisco produced an official response to Joshua Wright’s dictionary attack (Cisco Product Bulletin No. 2331), basically asking for a strong password policy or considering PEAP or EAP-TLS.

Another important aspect is what authentication protocols your wireless users have preinstalled on their network devices (notebooks, tablet PC’s, PDA, etc). Microsoft Windows 2000 and higher as well as Apple OS/X 10.2 and higher do have built-in support for EAP-TLS, EAP-TTLS and EAP-PEAP. The good news is that the different EAP types aren’t mutually exclusive and can be supported simultaneously. Basically the wireless client can pick an EAP method (TLS if it has a client certificate or PEAP and TTLS for username/password-based authentication) and as long as the 802.1x capable RADIUS server has support for the chosen EAP method, it works.