Cisco FirePOWER ASA 5500 series Configuration Manual page 600

Group Policies
Configuring LEAP Bypass
When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware
client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco
wireless access point devices establish LEAP authentication and then authenticate again per user
authentication. LEAP Bypass is disabled by default.
To allow LEAP packets from Cisco wireless access points to bypass individual users authentication,
enter the leap-bypass command with the enable keyword in group-policy configuration mode. To
disable LEAP Bypass, enter the disable keyword. To remove the LEAP Bypass attribute from the
running configuration, enter the no form of this command. This option allows inheritance of a value for
LEAP Bypass from another group policy:
hostname(config-group-policy)# leap-bypass {enable | disable}
hostname(config-group-policy)# no leap-bypass
Note IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs
with strong mutual authentication between clients and authentication servers, which can provide
dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens
and security issues that are present with static WEP keys.
Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP
(Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless
client on one side of a connection and a RADIUS server on the other side. The credentials used for
authentication, including a password, are always encrypted before they are transmitted over the wireless
medium.
Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting
services.
This feature does not work as intended if you enable interactive hardware client authentication.
Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the
tunnel.
The following example shows how to set LEAP Bypass for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# leap-bypass enable
Enabling Network Extension Mode
Network extension mode lets hardware clients present a single, routable network to the remote private
network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the
hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices
behind the security appliance have direct access to devices on the private network behind the hardware
client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the
tunnel, but after the tunnel is up, either side can initiate data exchange.
Enable network extension mode for hardware clients by entering the nem command with the enable
keyword in group-policy configuration mode:
hostname(config-group-policy)# nem {enable | disable}
hostname(config-group-policy)# no nem
Cisco Security Appliance Command Line Configuration Guide
30-46
Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
OL-10088-01