Cisco ASA 5505 Configuration Manual page 1348

ACL Manager
IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless
LANs with strong mutual authentication between clients and authentication servers, which can
provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing
administrative burdens and security issues that are present with static WEP keys.
Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP
implements mutual authentication between a wireless client on one side of a connection and a
RADIUS server on the other side. The credentials used for authentication, including a password, are
always encrypted before they are transmitted over the wireless medium.
Note
LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP
authentication because they cannot send their credentials to the RADIUS server behind the central
site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they
have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP
packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a
RADIUS server before individual users authenticate. Then the users proceed with individual user
authentication.
LEAP Bypass works as intended under the following conditions:
Note
• Allow C—Restricts the use of Network Extension Mode on the hardware client. Choose the option
to let hardware clients use Network Extension Mode. Network Extension Mode is required for the
hardware client to support IP phone connections, because the Call Manager can communicate only
with actual IP addresses.
Note
Cisco ASA 5500 Series Configuration Guide using ASDM
64-38
Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS
accounting services.
The interactive unit authentication feature (intended for wired devices) must be disabled. If
–
interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the
hardware client before LEAP devices can connect using that tunnel.
Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).
–
Access points in the wireless environment must be Cisco Aironet Access Points. The wireless
–
NIC cards for PCs can be other brands.
The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).
–
The ASA 5505 or VPN 3002 can operate in either client mode or network extension mode.
–
– LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.
Allowing any unauthenticated traffic to traverse the tunnel might pose a security risk.
If you disable network extension mode, the default setting, the hardware client can connect to
this adaptive security appliance in PAT mode only. If you disallow network extension mode here,
be careful to configure all hardware clients in a group for PAT mode. If a hardware client is
configured to use Network Extension Mode and the adaptive security appliance to which it
connects disables Network Extension Mode, the hardware client attempts to connect every 4
seconds, and every attempt is rejected. In this situation, the hardware client puts an unnecessary
processing load on the adaptive security appliance to which it connects; large numbers of
hardware clients that are misconfigured in this way reduces the ability of the security appliance
to provide service.
Chapter 64 General VPN Setup
OL-20339-01