Re: LEAP, and other EAPs.

From: Dan Williams <dcbw redhat com>
To: Darren Albers <dalbers gmail com>
Cc: NetworkManager <networkmanager-list gnome org>
Subject: Re: LEAP, and other EAPs.
Date: Sun, 15 Jul 2007 13:20:21 -0400

On Sun, 2007-07-15 at 10:52 -0400, Darren Albers wrote:
> On 7/15/07, Aaron Konstam <akonstam sbcglobal net> wrote:
> > On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote:
> > > On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote:
> > > > I think Cisco is just acknowledging the obvious and longstanding
> > > > weaknesses in LEAP and is doing the right thing and advising their
> > > > customers to move to PEAP which works the same from the users
> > > > prospective.
> > >
> > > LEAP has been steadily going away for a long time, because there are
> > > well-known exploitable vulnerabilities (dictionary attacks on your
> > > password) that have been around for at least 3 or 4 years.  LEAP
> > > hasn't
> > > been considered secure for a long time.  Dynamic WEP with 802.1x is
> > > actually better, but only if you change your WEP key really often.
> > >
> > > LEAP also sucks because you can't know whether or not an AP supports
> > > it
> > > from the beacon, which is what WPA[2] fixes quite nicely.
> >
> >
> > The above sort of misses several points. One does not have the power to
> > decide what authorization method an access point supplier uses. I use
> > LEAP because that is what the University I was contacting uses.
> >
> > Second, if NM advertises it supports LEAP it should support LEAP. Until
> > last week it did not at least on Fedora 7.
> 
> It did support it but a patch broke it, it wasn't caught since you
> can't test LEAP without Cisco AP's or a LEAP network which none of the
> dev's have access to.
> 
> >
> > Third, I am now informed that NM supports PEAP and other EAPs. Does it?
> > Has anyone actually tried it? I hope so. In addition this ability is
> > pretty well hidden in the lists of options that nm-applet displays. I
> > would probably not have found it if Darren Albers had showed me how.
> >
> >
> 
> I have used PEAP and EAP-TLS successfully before.  It isn't really
> hidden, it is under connect to other network....   If NM detects a
> network using EAP then the PEAP or EAP-TLS options are shown.  If your
> network is not broadcasting and you need to select the options
> manually you will need to select connect to other network so I /think/
> all the places you would need to find it are covered.
> 
> As Dan stated in an earlier post LEAP was different because you can't
> tell if it is just a normal WEP network or a LEAP network.

I don't think LEAP networks set the "privacy" bit (ie, the WEP bit) in
the beacon, which means you can't tell between LEAP or unencrypted
networks.  That's the same with 802.1x+Dynamic WEP too.

Dan

Follow-Ups:
- Re: LEAP, and other EAPs.
  - From: Aaron Konstam

References:
- LEAP, the saga continues
  - From: Aaron Konstam
- Re: LEAP, the saga continues
  - From: Darren Albers
- Re: LEAP, the saga continues
  - From: Dan Williams
- Re: LEAP, and other EAPs.
  - From: Aaron Konstam
- Re: LEAP, and other EAPs.
  - From: Darren Albers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]