Well, EAP-TLS is certainly more secure than LEAP for one very simple reason: LEAP uses NT credentials as the seed for the dynamic WEP key, whereas EAP-TLS uses certificates. Also, LEAP is a little brittle in my trials with it: to roam successfully between AP's the NT credentials need to be statically entered and stored in the Aironet Client Utility. If you practice password rotation (which I hope you do), then every client is going to have to muck with their ACU to re-enter their NT credentials. All in all, less secure and less transparent than EAP-TLS.
The problem we faced when trying to move to EAP-TLS was client OS support, as WinXP is currently the only OS that has EAP-TLS support (and PEAP for that matter if you're REALLY security conscious). Yes, I know you can use Funk or Meetinghouse, but both of those solutions cost money on a per client basis. When you have a heterogeneous client base (Windows2000, WinXP, WinCE, Linux and Mac OS X), EAP-TLS and PEAP aren't quite there. One thing I am curious about is why you'd be running IPsec over EAP-TLS/LEAP. Are you bound by HIPAA? If not, just use EAP-TLS or LEAP and the dynamic WEP keying (plus MIC, TKIP and broadcast key rotation) are, by all the tests and hacks I've seen/read, very secure. Good luck. Paul Forbes Network Engineer Trimble > -----Original Message----- > From: mike greenberg [mailto:newbiecisco@;yahoo.com] > Sent: Tuesday, November 05, 2002 11:21 AM > To: [EMAIL PROTECTED] > Subject: EAP-TLS or LEAP with IPSec for wireless security [7:56934] > > > All, > > I am about to implement EAL-TLS and IPSec for my wireless network. > Basically, > > this wireless segment is physically separated from my > internal network via > the > > firewall. It means that the wireless segment will be hanging > of my DMZ > network > > (called wireless DMZ because the WAP will be in the wireless > DMZ network). > > Wireless users will be required to be authenticated to a RADIUS server > (freeradius) > > before being allowed to be connected to the wireless network. > In order to > connect > > to the internal network or to the Internet, wireless users > have to make an > IPSec > > connection (via Cisco VPN client connection) to the Cisco Pix > firewall. At > the > > moment, everything works great; however, I have a few questions that > hopefully > > someone in this group can help with answers. > > 1) I use EAP-TLS on freeradius server for Authentication and > Accounting > because I > > know linux and freeradius is free (as the name implies). I > don't want to > use stinking > > Cisco ACS because it requires either Windows and Solaris > which I don't like > > because my freeradius server is running a Pentium 90Mhz > /128MB of RAM just > fine. > > I want to spend the company wisely especially in this > economy. From what I > > understand, EAP-TLS is open standard while LEAP is Cisco proprietary > solution and > > LEAP is vulvernable to "man in the middle attack" while > EAP-TLS is not. > > Now I am under pressure from upper-management to migrate from > EAP-TLS on > > Freeradius over to Cisco LEAP (upper management decision). The idiot > executive's > > reason is that LEAP is more secure than EAP-TLS and they > already have money > > allocated for the project. Because of this, I'll have to migrate from > EAP-TLS over > > to LEAP. Therefore, my question is that anybody using LEAP > and are you > happy > > with it? > > 2) At the moment, my wireless network has about 10 users so > running IPSec > > (3DES) on top of EAP-TLS is not so bad. However, I am going > to roll out > this > > project for about 200 users which I know the performance will > suffer. Has > anyone > > done IPSec over EAP-TLS for a network with 200+ users and > what kind of > > performance issues do you have? > > I don't want to use Cisco ACS product because it is expensive > and it sucks > big > > time; however, sometime you just have to swallow your losses > and move on. > > Thanks. > > Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56938&t=56934 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
