Home: www.packetnexus.com
This document describes the LEAP authentication
protocol as used by
Cisco Aironet wireless routers etc. It was deduced by
analysis of
packets passed between an Aironet and Cisco ACS.
Relevant RFCs are: 2284, 2716, 2433.
LEAP is a type of Radius EAP protocol (see RFC
draft-ietf-radius-eap-05.txt "Extensible
Authentication Protocol
Support in RADIUS"). The EAP type for LEAP is 17
(0x11). It is used to
authenticate access by a wireless client (typically a
laptop or pc) to
a wireless router, typically a Cisco Aironet base
station.
Definitions
AP: Access Point (the Aironet base station)
RS: Radius Server
APC: Access Point Challenge
APR: Access Point Response
PC: Peer Challenge
PR: Peer Response
PW: Users plaintext ASCII password
SK: Session Key
SS: Shared Secret shared between AP (or upstream
proxy) and RS
AUTH: The 16 octet Radius authenticator of the
incomintg request
A typical successful LEAP authentication sequence
consists of the
following Radius packets passed between the wireless
access point
(AP) and the Radius server (RS). Each packet contains
an EAP-Message
as described below. The EAP Message-Authenticator
attribute is always
present as usual for EAP.
The general description of the protocol is:
1. AP->RS: Radius Request/EAP Identity, containing the
name of the
user to be authenticated
2. RS->AP: Radius Challenge/EAP Request/LEAP,
containing a 8 octet random
MSCHAP Peer Challenge (PC)
3. AP->RS: Radius request/EAP Response/LEAP,
containing the 24 octet MSCHAP
response to the challenge in 2 above (PR).
4. RS->AP: Radius Access-Accept/EAP Success
5. AP->RS: Radius Request/EAP Request/LEAP, containing
8 octet Access Point
Challenge (APC).
6. RS->AP: Radius Access-Accept/EAP Response/LEAP,
containing 24 octet
response to the challenge in 5 above (APR), plus a
session key sent
in a cisco-avpair vendor-specific attribute.
LEAP data is carried in an EAP-Message in the
Type-Data
subfield. The format of the Type-Data subfield is:
1 octet LEAP protocol version number, currently always
0x01.
1 unused octet, currently always 0x00.
1 octet byte count for the following binary data
m octets of binary data
n octets, the name of the user being authenticated
So, for example, packet 2 in the above sequence,
containg the access
point challenge (APC) would contain an EAP-Message
Request (Code 0x01)
attribute something like this:
0 1 2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code 0x01 | Identifier | Length
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type 0x11 | Version 0x01 | Unused 0x00 |
Count 0x08 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Peer Challenge
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Peer Challenge
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| User Name .....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Count is 8 octets since the Peer challenge is 8 bytes.
Length is the
total nunmber of octets in the EAP-Message.
The Session Key (SK) is sent from RS to AP in the
final packet. It is
carried in a cisco-avpair vendor specific radius
attribute. The value
of the attribute is:
"leap:session-key=nnnn" where nnnn is 34