Problem doing LEAP with Odyssey Client/server
Last Post: October 10, 2005:
-
Hi members of the CWSP forum,
I am currently trying to reproduce the lab of the CWSP dedicated to LEAP.
For this purpose I use Odyssey Server and Odyssey Client (ver4.0) in trial versions.
I have installed the Odyssey server... everything is working fine, I use the Active Directory as described in the lab guide for the user description(authuser1 / Password)
I use the Odyssey client with the same Username and pasword, using the LEAP option.
According to what I see in the log file of the Odyssey server the authentication is successfull (it says "User explicitly allowed; authuser1 accepted")
If I capture the frames (on the ethernet LAN)between the authenticator and authentication server I see 4 frames :
Radius Access Request // AP--> server Code : Response Type : Identity (authuser1)
Radius Access Challenge // server--> AP Code: Request Type : LEAP [challenge]
Radius Access Request // AP---> server Code Response Type : LEAP [Challenge Response]
Radius Access Challenge // server---> AP Code: Success
Apparently the authentication is successfull... however the supplicant never succeeds in authorizing the connection. It keeps on sending authentication requests !?!
Using a wireless sniffer I can see that the the AP forwards the EAP success message to the supplicant.
I don't understand the reason why it doesn't work... It looks like the exchanges between the supplicant, authenticator and authentication server follow the standard.
I put below a capture of the trace on the supplicant side if it can help anyone in troubleshooting this issue.
Using another card (ARtem card) it shows however this strange error message in the client log :
"Bogus unicast Key set prior to setting encryption type"... I guess this is the key of my problem but I don't know how to fix it.
If one of you can give me a hint I would be grateful.
Best Regards
Chris
PS : if any one has a good link or good document explaining well the difference between the unicast key and the broadcast key I would be grateful... the explanation in the CWSP guide is not clear enough for me.
12:28:49.776 >>>>>>>> Starting authentication
12:28:49.776 [DTL] Supplicant state machine: txRspId, id = 6, prev = 6
12:28:49.776 [NRM] Transmitting EAP-Response
00000000: 01 00 00 15 02 06 00 15 01 42 49 4E 54 45 43 5C .........BINTEC
00000010: 61 75 74 68 75 73 65 72 31 authuser1
12:28:49.776 SetThreadPriority(1) returned success
12:28:49.776 ++ EAPOL message received
12:28:49.776 Message dequeued
12:28:49.776 SetThreadPriority(0) returned success
12:28:49.776 [DTL] Received EAPOL packet
00000000: 01 00 00 20 01 07 00 20 11 01 00 08 FF 74 E8 8C ... ... .....t..
00000010: BA 51 82 72 42 49 4E 54 45 43 5C 61 75 74 68 75 .Q.rBINTECauthu
00000020: 73 65 72 31 D3 1F 34 F5 1D A4 C6 5E 54 FA 32 6E ser1..4....^T.2n
00000030: C2 58 51 1F BF 5B .XQ..[
12:28:49.776 [NRM] Processing EAP-Request/17: code = 1, id = 7, length = 32
12:28:49.776 STATE_Auth() 6
12:28:49.776 [DTL] Supplicant state machine: txRspAuth, id = 7, prev = 6
12:28:49.776 [NRM] Transmitting EAP-Response
00000000: 01 00 00 30 02 07 00 30 11 01 00 18 DC 16 9D 8C ...0...0........
00000010: 82 6A A7 81 B4 9E 98 7F 8F B8 5C C0 30 A3 9F F2 .j........0...
00000020: 21 2A DE D4 42 49 4E 54 45 43 5C 61 75 74 68 75 !*..BINTECauthu
00000030: 73 65 72 31 ser1
12:28:49.776 SetThreadPriority(1) returned success
12:28:49.796 ++ EAPOL message received
12:28:49.796 Message dequeued
12:28:49.796 SetThreadPriority(0) returned success
12:28:49.796 [DTL] Received EAPOL packet
00000000: 01 00 00 04 03 08 00 04 11 01 00 08 FF 74 E8 8C .............t..
00000010: BA 51 82 72 42 49 4E 54 45 43 5C 61 01 5C 00 D1 .Q.rBINTECa...
00000020: 3A 7B 97 22 83 BE D4 1A A0 8E B5 C8 25 66 C2 53 :{."........%f.S
00000030: 44 93 DB 83 E5 47 D....G
12:28:49.796 [NRM] Processing EAP-Success: code = 3, id = 8, length = 4 -
I have got an answer from Funk Software support team.
LEAP is supported only by very specific APs... it is not just a matter of whether or not the AP supports 802.1x/EAP and the supplicant and authentication server support LEAP.
The AP MUST be compliant !!
It is something you definitely have to know prior to implementing LEAP in your network.
Regards
Chris -
That is correct...
LEAP is a proprietary protocol where the authenticator (Cisco AP) alters the EAP frames during the EAP exchange. The EAP standard actually requires that the authenticator not mess with the frame exchange... thus LEAP is proprietary.
Therefore, you must use Cisco access points with LEAP. Although, Aruba Networks evidently has reversed engineered LEAP and LEAP with work with an Aruba Networks Wi-Fi switching solution.
All this being said, LEAP has serious security holes and I would recommend that you deploy PEAP, EAP-TTLS or EAP-FAST instead. -
Thanks David,
I completely agree with you. I would suggest however the cwnp program to be more precise on the compliancy of APs and security holes of LEAP...
In the previous version of the CWSP book (and during the training lab) there was nothing about these problems.
It took me some time to get this important information from Funk Software also (the support engineer didn't know we must use a LEAP compliant AP).
Thanks for your contribution
Best Regards
Christophe
- 1