Re: LEAP, and other EAPs.

From: "Darren Albers" <dalbers gmail com>
To: "Aaron Konstam" <akonstam sbcglobal net>
Cc: NetworkManager <networkmanager-list gnome org>
Subject: Re: LEAP, and other EAPs.
Date: Sun, 15 Jul 2007 10:52:47 -0400

On 7/15/07, Aaron Konstam <akonstam sbcglobal net> wrote:

On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote:
> On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote:
> > I think Cisco is just acknowledging the obvious and longstanding
> > weaknesses in LEAP and is doing the right thing and advising their
> > customers to move to PEAP which works the same from the users
> > prospective.
>
> LEAP has been steadily going away for a long time, because there are
> well-known exploitable vulnerabilities (dictionary attacks on your
> password) that have been around for at least 3 or 4 years.  LEAP
> hasn't
> been considered secure for a long time.  Dynamic WEP with 802.1x is
> actually better, but only if you change your WEP key really often.
>
> LEAP also sucks because you can't know whether or not an AP supports
> it
> from the beacon, which is what WPA[2] fixes quite nicely.


The above sort of misses several points. One does not have the power to
decide what authorization method an access point supplier uses. I use
LEAP because that is what the University I was contacting uses.

Second, if NM advertises it supports LEAP it should support LEAP. Until
last week it did not at least on Fedora 7.


It did support it but a patch broke it, it wasn't caught since you
can't test LEAP without Cisco AP's or a LEAP network which none of the
dev's have access to.


Third, I am now informed that NM supports PEAP and other EAPs. Does it?
Has anyone actually tried it? I hope so. In addition this ability is
pretty well hidden in the lists of options that nm-applet displays. I
would probably not have found it if Darren Albers had showed me how.


I have used PEAP and EAP-TLS successfully before.  It isn't really
hidden, it is under connect to other network....   If NM detects a
network using EAP then the PEAP or EAP-TLS options are shown.  If your
network is not broadcasting and you need to select the options
manually you will need to select connect to other network so I /think/
all the places you would need to find it are covered.

As Dan stated in an earlier post LEAP was different because you can't
tell if it is just a normal WEP network or a LEAP network.

Follow-Ups:
- Re: LEAP, and other EAPs.
  - From: Dan Williams

References:
- LEAP, the saga continues
  - From: Aaron Konstam
- Re: LEAP, the saga continues
  - From: Darren Albers
- Re: LEAP, the saga continues
  - From: Dan Williams
- Re: LEAP, and other EAPs.
  - From: Aaron Konstam

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]