Can you help me understand the differences between WPA2 and Cisco LEAP security protocols? Which one is better, more convenient, or safer?
Cisco's LEAP (lightweight Extensible Authentication Protocol) is a variant prior to the approval of a proprietary IEEE 802.1X port access protocol standard. 802.1X is a framework that allows an identity recognition server to verify the certificate of the wireless user before authorizing the wireless user to access the Distributed Network (that is, the wired network connected to the Access Point) of the Access Point. 802.1X can be used with many different certificates, such as passwords, tokens, and certificates. This is done by making 802.1X requests and responses carry any kind of EAP (Extensible Authentication Protocol.
Cisco LEAP is one of these types of EAP, designed to provide password identification. When LEAP is used, the Access Point checks the user name of the client and forwards the RADIUS (Remote Authentication Dial-In User Service) Information to the client and the identity recognition server. The authentication server uses a MS-CHAP (Microsoft question Handshake Authentication Protocol) to check the client password. This client does not send its password. It uses this password and cross-query to generate a hash ). This server generates its own hash and compares it with the hash value sent from the client. If they match, the client will be accepted. Then, another MS-CHAP exchange allows the client to identify the server. When both parties are satisfied, the client and server exchange encryption keys so that the data sent in this process can be protected by WEP.
Unfortunately, LEAP is vulnerable to dictionary attacks. First, the user name is sent without encryption. Everyone can find it. Second, you can use the hash value generated by the dictionary to compare the hash value sent by the client to crack (or guess) the password. There are also some shared software tools that can automatically crack. These software tools include Anwrap, Asleap, and THC-LEAPcracker. Using a very long and random password helps block dictionary attacks. However, this bypass vulnerability is impractical because many WLAN instances use LEAP together with existing user names (such as Windows Domain Names) and passwords. In fact, this is why LEAP is easy to deploy.
There are also many other unfamiliar EAP types that can be used with 802.1X. For example, the EAP-TLS supports two-way authentication based on digital certificates. PEAP (protected EAP) supports MS-CHAPv2 password authentication on encrypted TLS channels to prevent sp and dictionary attacks. In fact, there are over 40 defined EAP types. Some are weaker than LEAP (such as EAP-MD5) and some are more powerful (such as EAP-TLS and PEAP ). Of course, some types of EAP are more difficult to use than LEAP. For example, to use a EAP-TLS, your client must have a certificate. No EAP type can meet everyone's needs.
What are the protocols related to WPA2? The second version of the WPA protocol is an authentication plan managed by the Wi-Fi Alliance. All products that correctly adopt parts that comply with IEEE 802.11i enhanced security standards can pass WPA2 testing. When you purchase a wireless product that supports WPA2, this product uses 802.1X authentication and AES encryption. This product may support 802.1X along with the EAP-TLS, or other EAP types. Therefore, WPA2 provides more powerful identification and Data Encryption than LEAP.
However, selecting an EAP protocol and WPA2 protocol should be left to consumers for decision. Therefore, security is ultimately related to configuration. How to make a decision depends on your WLAN. However, most WLANs that use the WPA2 Protocol use more powerful EAP-type protocols, rather than LEAP. Deploying WPA2 is complex, especially in networks with Multiple customer cards and operating systems. However, using the WPA2 protocol with PEAP in a vendor's WLAN is about as laborious as deploying Cisco LEAP.