Re: Implementation of LEAP kind of Security Mechanism on HostAP


From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-09-21 13:38:05 UTC



On Sat, Sep 21, 2002 at 03:16:05PM +0200, Jacques Caron wrote:

> I think the main difference between LEAP and 802.1X is that LEAP is
> implemented as an 802.11 authentication method (so before authentication)
> rather than encapsulated in 802.11 data frames with a specific Ethertype.

My ignorance of LEAP is showing.. ;-) I just read something about its RADIUS side and it looked quite similar to 802.1X. As a different 802.11 auth alg, this would need to be implemented in handle_auth(). That shouldn't be complex; however, this might require result caching or something like it to make sure that the reply auth frame can be sent quickly enough or the station might miss it.

> Afaik, the keys are not transmitted in MS-MPPE-Send/Recv-Key VSA, but using
> a cisco VSA instead. It might have changed in the meantime, of course, and
> I know the cisco APs support the MS VSAs with other EAP methods very well.

OK. The description on cistron-radius list talked about MS-MPPE-Send-Key and mppe_encrypt() used on session key, but yes, there is also something about Cisco VSA.

-- 
Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.