LEAP authentication and RSN
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by paulyb on January 17, 2007, 11:56 am
Please log in for more thread options Hello, Anyone know how an 802.11 station is supposed to know that a Cisco Aironet 1200 access point requires LEAP authentication? I would expect it would pick up on RSN information elements in beacons along with the required LEAP type in an EAPOL packet, but my AP doesn't seem to put RSN data in the beacons (verified with a sniffer) no matter how I configure it. I'm not sure if this is a simple misconfiguration of the access point or just my misunderstanding of the protocol. It doesn't seem to be mentioned in the LEAP spec (CCX v1). What makes a station think "I'll try using LEAP", or is it supposed to just guess? Thanks is advance, Paul. | ||||||||||||||||
|
Posted by Aaron Leonard on January 18, 2007, 12:16 pm
Please log in for more thread options it's up to the RADIUS server to negotiate this with the supplicant. This is done via an EAP Request frame of an Authentication Protocol type. See fig. 7.3 in http://www.ciscopress.com/articles/article.asp?p=369223&rl=1 . One way to watch the EAP negotiations is to turn on Ethernet-II layer packet capture on the PC's wireless adapter. E.g. run Wireshark in nonpromiscuous mode. Aaron --- ~ Hello, ~ Anyone know how an 802.11 station is supposed to know that a Cisco ~ Aironet 1200 access point requires LEAP authentication? I would expect ~ it would pick up on RSN information elements in beacons along with the ~ required LEAP type in an EAPOL packet, but my AP doesn't seem to put ~ RSN data in the beacons (verified with a sniffer) no matter how I ~ configure it. ~ ~ I'm not sure if this is a simple misconfiguration of the access point ~ or just my misunderstanding of the protocol. It doesn't seem to be ~ mentioned in the LEAP spec (CCX v1). What makes a station think "I'll ~ try using LEAP", or is it supposed to just guess? ~ ~ Thanks is advance, ~ Paul. | ||||||||||||||||
|
Posted by paulyb on January 19, 2007, 5:03 am
Please log in for more thread options
Yes, I understand the EAP type is negotiated in step 3 of the 802.11 spec, section 8.1.3: About the the station ... " 1) It identifies the AP as RSNA-capable from the AP's Beacon or Probe Response frames. 2) It shall invoke Open System authentication. 3) It negotiates cipher suites during the association process, as described in 8.4.2 and 8.4.3. " My question was more about step 1, given that I've switched Network-EAP on and the Aironet 1200 isn't putting out the IEs (recent firmware v:12.3.8-JA2). The LEAP spec is probably pre-all this lot, so also doesn't mention it at all. That you for the article reference. It is very relevant to me at the moment. Some weekend reading :) Regards, Paul. Aaron Leonard wrote: >
> One way to watch the EAP negotiations is to turn on Ethernet-II layer > packet capture on the PC's wireless adapter. E.g. run Wireshark in > nonpromiscuous mode. > > Aaron > > --- > > ~ Hello, > ~ Anyone know how an 802.11 station is supposed to know that a Cisco > ~ Aironet 1200 access point requires LEAP authentication? I would expect > ~ it would pick up on RSN information elements in beacons along with the > ~ required LEAP type in an EAPOL packet, but my AP doesn't seem to put > ~ RSN data in the beacons (verified with a sniffer) no matter how I > ~ configure it. > ~ > ~ I'm not sure if this is a simple misconfiguration of the access point > ~ or just my misunderstanding of the protocol. It doesn't seem to be > ~ mentioned in the LEAP spec (CCX v1). What makes a station think "I'll > ~ try using LEAP", or is it supposed to just guess? > ~ > ~ Thanks is advance, > ~ Paul. | ||||||||||||||||
| Similar Threads | Posted |
| LEAP authentication and RSN | January 17, 2007, 11:56 am |
| LEAP (or WPA-Ent) and WPA-PSK to work on a single 1200AP??? | September 26, 2005, 4:01 pm |
| PCM352 not reauthenticating LEAP automatically | April 2, 2006, 3:44 pm |
| Cisco LEAP on Windows Vista | November 3, 2006, 7:08 pm |
| Aironet CB21ag drivers and LEAP Auth failure | November 10, 2005, 12:43 pm |
| PIX and cut-through authentication | February 10, 2005, 7:50 pm |
| 802.1x Authentication | November 10, 2005, 5:24 am |
| authentication and ACL with PIX | May 12, 2006, 9:23 am |
| EAP Authentication | June 22, 2005, 9:03 pm |
| VPN ASA Authentication to MS CA | October 31, 2007, 7:06 am |
| Order of authentication. | July 28, 2005, 4:13 pm |
| Network authentication. | July 29, 2005, 9:34 am |
| PPTP + NT 4.0 Authentication | October 23, 2005, 9:09 pm |
| Re: TACACS+ authentication | January 25, 2006, 8:39 am |
| 802.1x authentication with Microsoft IAS | January 31, 2006, 8:06 am |
> it's up to the RADIUS server to negotiate this with the supplicant.
> This is done via an EAP Request frame of an Authentication Protocol
> type. See fig. 7.3 in