WPA supplicant not working for LEAP

Jouni Malinen j at w1.fi
Fri Dec 7 10:01:31 EST 2007

On Fri, Dec 07, 2007 at 12:28:47PM +0530, Anjali Shirvoikar wrote:

> AP – DLink DWL2100
> Radius server – Free radius server
> The AP is configured for TKIP with WPA-EAP. The radius server is set for
> LEAP. The association with AP takes place successfully (seen in the AP log),
> a packet trace at the radius server shows that the LEAP conversation takes
> place(4 packets are exchanged) and ends in a success EAP packet being sent
> to the wpa_supplicant. The wpa_supplicant then seems to be sending a 8 octet
> challenge to the AP which is not forwarded by the AP to the RS (not seen in
> the packet trace) Could anybody tell me how to fix this issue? Is LEAP to be
> used only with Cisco AP?

LEAP is not compliant with EAP RFC and in addition, the mechanism used
for delivering keying material from the RADIUS server to the
AP/Authenticator is different from the one used for all other EAP
methods. I would expect most APs not to support this.

As far as fixing the issue is concerned, I would say the proper fix is
not to use LEAP. It's proprietary and not really very secure. If you
really need to use LEAP, it would probably be easiest to just get a
Cisco AP.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list