Re: LEAP, and other EAPs.
- From: Dan Williams <dcbw redhat com>
- To: Darren Albers <dalbers gmail com>
- Cc: NetworkManager <networkmanager-list gnome org>
- Subject: Re: LEAP, and other EAPs.
- Date: Sun, 15 Jul 2007 13:20:21 -0400
On Sun, 2007-07-15 at 10:52 -0400, Darren Albers wrote:
> On 7/15/07, Aaron Konstam <akonstam sbcglobal net> wrote:
> > On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote:
> > > On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote:
> > > > I think Cisco is just acknowledging the obvious and longstanding
> > > > weaknesses in LEAP and is doing the right thing and advising their
> > > > customers to move to PEAP which works the same from the users
> > > > prospective.
> > >
> > > LEAP has been steadily going away for a long time, because there are
> > > well-known exploitable vulnerabilities (dictionary attacks on your
> > > password) that have been around for at least 3 or 4 years. LEAP
> > > hasn't
> > > been considered secure for a long time. Dynamic WEP with 802.1x is
> > > actually better, but only if you change your WEP key really often.
> > >
> > > LEAP also sucks because you can't know whether or not an AP supports
> > > it
> > > from the beacon, which is what WPA[2] fixes quite nicely.
> >
> >
> > The above sort of misses several points. One does not have the power to
> > decide what authorization method an access point supplier uses. I use
> > LEAP because that is what the University I was contacting uses.
> >
> > Second, if NM advertises it supports LEAP it should support LEAP. Until
> > last week it did not at least on Fedora 7.
>
> It did support it but a patch broke it, it wasn't caught since you
> can't test LEAP without Cisco AP's or a LEAP network which none of the
> dev's have access to.
>
> >
> > Third, I am now informed that NM supports PEAP and other EAPs. Does it?
> > Has anyone actually tried it? I hope so. In addition this ability is
> > pretty well hidden in the lists of options that nm-applet displays. I
> > would probably not have found it if Darren Albers had showed me how.
> >
> >
>
> I have used PEAP and EAP-TLS successfully before. It isn't really
> hidden, it is under connect to other network.... If NM detects a
> network using EAP then the PEAP or EAP-TLS options are shown. If your
> network is not broadcasting and you need to select the options
> manually you will need to select connect to other network so I /think/
> all the places you would need to find it are covered.
>
> As Dan stated in an earlier post LEAP was different because you can't
> tell if it is just a normal WEP network or a LEAP network.
I don't think LEAP networks set the "privacy" bit (ie, the WEP bit) in
the beacon, which means you can't tell between LEAP or unencrypted
networks. That's the same with 802.1x+Dynamic WEP too.
Dan
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]