Hajime đọc tài liệu có đoạn này hơi không hiểu lắm:



Cisco LEAP is a user-based authentication algorithm that is secure enough to implement in hostile wireless LAN deployments. Based on these user requirements, and the need for single-sign-on (SSO) capabilities, Cisco built Cisco LEAP around the premise of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

Cisco LEAP is a password-based algorithm. It preserves the integrity of the password during wireless authentication by converting the password to a secret key value so that wireless eavesdroppers cannot sniff Cisco LEAP authentication and see a user’s password transmitted across the wireless link. The secret key value is the result of a mathematical function called a hash function. A hash function is an algorithm that one-way encrypts data. The data cannot be decrypted to derive the original input. Cisco LEAP uses secrets in the form of the Microsoft NT key format. The Windows NT key is a Message Digest Algorithm 4 (MD4) hash of an MD4 hash of the user’s password

Cisco has developed drivers for most versions of Microsoft Windows (Windows 95, 98, Me, 2000, NT and XP) and uses the Windows logon as the Cisco LEAP logon. A software shim in the Windows logon allows the username and password information to be passed to the Cisco Aironet client driver. The driver will convert the password into a
Windows NT key and hand the username and Windows NT key to the Cisco NIC. The NIC executes 802.1X transactions with the AP and the authentication, authorization, and accounting (AAA) server.

Reauthentication and subsequent WEP key derivation follow a similar process. The transaction WEP-encrypted with the existing client WEP key and client’s port on the access point does not transition to a blocking state. It will remain in the forwarding state until the client explicitly sends an EAP Logoff message or fails reauthentication.



Cisco LEAP là một algorithm hay là một phần mềm, một giải pháp của Cisco?

Khi sử dụng Cisco LEAP thì nó có màn hình đăng nhập giống Windows, nhập username và password. Sau đó một phần mềm sẽ chuyển username và password cho Cisco Aironet client driver. Driver này sẽ chuyển password thành một Windows NT key.

Rồi sau đó thì sao nữa? Đọc tới đây Hajime chưa hiểu rõ lắm .. Mong mọi người hướng dẫn giùm.

Ở đây, có ai có thể sử dụng hình ảnh để giải thích vấn đề trên giùm tui không? ( best )

Xin cám ơn,
:wink:

Một sự im lặng đáng sợ, quả thật khi đọc về phần bảo mật này tui cũng không hiểu, khi người dùng AP, cần configure thì dùng interface nào để quan sát mà configure. vì AP không có cổng console nhử của Router để nối vào máy vi tính và configure.
anh em nào biết xin chỉ giúp mình với ,.

Mình cũng không rõ lém về Wireless, thấy Hajimme hỏi vậy thì cũng thử search ra xem Cisco LEAP là gì, thấy thằng SearchNetworking nó nói thế này:

Cisco LEAP (Lightweight Extensible Authentication Protocol), also known as Cisco-Wireless EAP, provides username/password-based authentication between a wireless client and a RADIUS server like Cisco ACS or Interlink AAA. LEAP is one of several protocols used with the IEEE 802.1X standard for LAN port access control. In the 802.1X framework, a LAN station cannot pass traffic through an Ethernet hub or WLAN access point until it successfully authenticates itself. The station must identify itself and prove that it is an authorized user before it is actually allowed to use the LAN.

LEAP also delivers a session key to the authenticated station, so that future frames can be encrypted with a key that is different than keys used by others sessions. Dynamic key delivery eliminates one big vulnerability: static encryption keys that are shared by all stations in the WLAN. Once an attacker cracks a static shared key, he can eavesdrop on all traffic in the WLAN until that key gets updated on every station. With dynamic session keys, the attacker has less traffic to analyze. Furthermore, by the time he cracks the key, the session may already be over.

As you can see, Ciso's LEAP does have security advantages over the standard security measures defined in the original IEEE 802.11 WLAN standard. LEAP is supported by Cisco Aironet access points and wireless NICs. However, LEAP and several other "EAP types" drafted by other companies have been found to be vulnerable to certain attacks. For example, man-in-the-middle attacks where a third party on the WLAN intercepts traffic between the station and access point, then uses that information to do something malicious like hijack future traffic.

The EAP type shipped with Windows XP, called EAP-TLS, uses digital certificates for stronger authentication of both the station and the access point. However, issuing digital certificates to every station is a bit complex, and many companies would prefer to continue using usernames and passwords to authenticate wireless stations. The trick is to do this while eliminating man-in-the-middle vulnerabilities. The working proposal that several manufacturers – including Cisco – are now implementing is called PEAP (Protected EAP). I expect that PEAP (or whatever EAP type is finally standardized) will replace LEAP in future WLAN products.

Station authentication and controlling access to the WLAN access point does not address all of your WLAN security risks. For example, current WLAN products – including Aironet products implementing LEAP – use the Wired Equivalent Privacy (WEP) protocol for frame encryption. This is done to preserve the confidentiality of the data carried over wireless - for example, mail messages that you read, files that you transfer, and the content of web pages that you visit when connected over wireless. Even if you don't care about the privacy of that data, you are still sending other sensitive information, such as email logins and passwords, fileshare names, and server addresses inside your network. Without WEP, these juicy tidbits can be used by an eavesdropper to compromise the security of your network.

Although measures like dynamic key delivery in LEAP reduce known weaknesses in WEP, they do not completely eliminate them. For example, it is still possible for an WLAN attacker to forge frames or modify valid frames in such a way that the receiver cannot detect that. A "WEP fix" called TKIP will soon start shipping in WLAN products. TKIP will overcome some of the most glaring vulnerabilities in WEP, but WLANs will still not be as secure as they could be. Really robust security for wireless LANs won't be available until next year, when next generation WLAN products start using the Advanced Encryption Standard (AES) and other improvements now being defined by the IEEE.

http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci843996,00.html