Introduction

802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

• Supplicant An end-user station, often a laptop, that runs 802.1x client software.
• Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
• Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

EAP-LEAP Basics

The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.

Read more »