Problem solve Get help with specific problems with your technologies, process and projects.


I've recently heard a lot about how the 802.11 wireless networking Protocol is very unsecured. I've read about...

the new security systems such as LEAP and PEAP I am wondering what these are and what is the difference is? The original 802.11 standard provided weak access control based on shared key authentication. Stations communicating with a given access point (AP) must possess a hex "password". Stations use this value to respond to a challenge, proving they know the password. APs that require shared key authentication will only associate with stations that pass this challenge.

Group passwords are weak in general, but 802.11 shared keys are even worse. The same shared keys are used for authentication and data encryption. Due to weaknesses in 802.11 Wired Equivalent Privacy (WEP), an attacker can capture encrypted frames and analyze them, eventually determining the key used to encrypt them. Once the attacker has the shared key, not only can he decrypt frames, but he can also present himself as an authentic user.

Because the 802.11 standard did not include a protocol to dynamically update keys, most 802.11 cards and APs are manually configured with values that are used indefinitely. An attacker that guesses or cracks this static key can use it for quite awhile, and it might not be so easy to reconfigure every station to replace a compromised key.

LEAP and PEAP are extensible authentication protocols that provide stronger authentication for newer 802.11 WLANs that support 802.1X port access control. LEAP is a Cisco-proprietary protocol; PEAP is a newer draft that is gathering support to become an Internet standard. Cisco has already released code that supports PEAP and is expected to phase out LEAP. There are also other EAP types like EAP-TLS (already a standard, included in Windows XP) and EAP-TTLS (another draft, supported by clients from Funk et al). Rather then muddy the waters by explaining all of these EAP types, I will just discuss on PEAP at a high level.

802.1X lets WLAN stations and authentication servers authenticate each other. The AP sits in between these two and only permits successfully authenticated users to access to the wired network. PEAP is the protocol that carries authentication data. Unlike shared key authentication, PEAP creates a secure channel (a TLS session) over which the WLAN user can be authenticated with legacy credentials. For example, PEAP can authenticate your Windows username and password against a Windows 2000 Active Directory domain, without making this auth info susceptible to sniffing or offline dictionary attack.

When 802.1X and PEAP are combined with another emerging improvement called TKIP, dynamic WEP keys can be delivered to authenticated stations. Not only does every station get its own encryption keys, but those keys have a finite lifetime, after which the station must either be re-keyed or terminated. An attacker might still capture encrypted frames, but there is less traffic to analyze, it is harder to crack the key, and a compromised key is much less useful.

So, you can see that the combination of PEAP and TKIP address the worst security vulnerabilities associated with shared key authentication and WEP encryption. To learn more, including the differences bewteen LEAP and PEAP, visit these URLs:

Microsoft Article on PEAP with MS-CHAPv2: http://www.microsoft.com/technet/columns/cableguy/cg0702.asp

Cisco WLAN Security White Paper: https://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

Dig Deeper on Enterprise mobility strategy and policy