Re: LEAP, and other EAPs.
On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote: On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote: I think Cisco is just acknowledging the obvious and longstanding weaknesses in LEAP and is doing the right thing and advising their customers to move to PEAP which works the same from the users prospective. LEAP has been steadily going away for a long time, because there are well-known exploitable vulnerabilities (dictionary attacks on your password) that have been around for at least 3 or 4 years. LEAP hasn't been considered secure for a long time. Dynamic WEP with 802.1x is actually better, but only if you change your WEP key really often. LEAP also sucks because you can't know whether or not an AP supports it from the beacon, which is what WPA[2] fixes quite nicely. The above sort of misses several points. One does not have the power to decide what authorization method an access point supplier uses. I use LEAP because that is what the University I was contacting uses. Second, if NM advertises it supports LEAP it should support LEAP. Until last week it did not at least on Fedora 7. Third, I am now informed that NM supports PEAP and other EAPs. Does it? Has anyone actually tried it? I hope so. In addition this ability is pretty well hidden in the lists of options that nm-applet displays. I would probably not have found it if Darren Albers had showed me how. -- === It's not hard to admit errors that are [only] cosmetically wrong. -- J.K. Galbraith === Aaron Konstam telephone: (210) 656-0355 e-mail: [EMAIL PROTECTED] ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: LEAP, and other EAPs.
On 7/15/07, Aaron Konstam [EMAIL PROTECTED] wrote: On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote: On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote: I think Cisco is just acknowledging the obvious and longstanding weaknesses in LEAP and is doing the right thing and advising their customers to move to PEAP which works the same from the users prospective. LEAP has been steadily going away for a long time, because there are well-known exploitable vulnerabilities (dictionary attacks on your password) that have been around for at least 3 or 4 years. LEAP hasn't been considered secure for a long time. Dynamic WEP with 802.1x is actually better, but only if you change your WEP key really often. LEAP also sucks because you can't know whether or not an AP supports it from the beacon, which is what WPA[2] fixes quite nicely. The above sort of misses several points. One does not have the power to decide what authorization method an access point supplier uses. I use LEAP because that is what the University I was contacting uses. Second, if NM advertises it supports LEAP it should support LEAP. Until last week it did not at least on Fedora 7. It did support it but a patch broke it, it wasn't caught since you can't test LEAP without Cisco AP's or a LEAP network which none of the dev's have access to. Third, I am now informed that NM supports PEAP and other EAPs. Does it? Has anyone actually tried it? I hope so. In addition this ability is pretty well hidden in the lists of options that nm-applet displays. I would probably not have found it if Darren Albers had showed me how. I have used PEAP and EAP-TLS successfully before. It isn't really hidden, it is under connect to other network If NM detects a network using EAP then the PEAP or EAP-TLS options are shown. If your network is not broadcasting and you need to select the options manually you will need to select connect to other network so I /think/ all the places you would need to find it are covered. As Dan stated in an earlier post LEAP was different because you can't tell if it is just a normal WEP network or a LEAP network. ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: LEAP, and other EAPs.
On Sun, 2007-07-15 at 10:52 -0400, Darren Albers wrote: On 7/15/07, Aaron Konstam [EMAIL PROTECTED] wrote: On Sun, 2007-07-15 at 09:14 -0400, Dan Williams wrote: On Fri, 2007-07-13 at 19:19 -0400, Darren Albers wrote: I think Cisco is just acknowledging the obvious and longstanding weaknesses in LEAP and is doing the right thing and advising their customers to move to PEAP which works the same from the users prospective. LEAP has been steadily going away for a long time, because there are well-known exploitable vulnerabilities (dictionary attacks on your password) that have been around for at least 3 or 4 years. LEAP hasn't been considered secure for a long time. Dynamic WEP with 802.1x is actually better, but only if you change your WEP key really often. LEAP also sucks because you can't know whether or not an AP supports it from the beacon, which is what WPA[2] fixes quite nicely. The above sort of misses several points. One does not have the power to decide what authorization method an access point supplier uses. I use LEAP because that is what the University I was contacting uses. Second, if NM advertises it supports LEAP it should support LEAP. Until last week it did not at least on Fedora 7. It did support it but a patch broke it, it wasn't caught since you can't test LEAP without Cisco AP's or a LEAP network which none of the dev's have access to. Third, I am now informed that NM supports PEAP and other EAPs. Does it? Has anyone actually tried it? I hope so. In addition this ability is pretty well hidden in the lists of options that nm-applet displays. I would probably not have found it if Darren Albers had showed me how. I have used PEAP and EAP-TLS successfully before. It isn't really hidden, it is under connect to other network If NM detects a network using EAP then the PEAP or EAP-TLS options are shown. If your network is not broadcasting and you need to select the options manually you will need to select connect to other network so I /think/ all the places you would need to find it are covered. As Dan stated in an earlier post LEAP was different because you can't tell if it is just a normal WEP network or a LEAP network. I don't think LEAP networks set the privacy bit (ie, the WEP bit) in the beacon, which means you can't tell between LEAP or unencrypted networks. That's the same with 802.1x+Dynamic WEP too. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: LEAP, and other EAPs.
On Sun, 2007-07-15 at 13:20 -0400, Dan Williams wrote: Second, if NM advertises it supports LEAP it should support LEAP. Until last week it did not at least on Fedora 7. It did support it but a patch broke it, it wasn't caught since you can't test LEAP without Cisco AP's or a LEAP network which none of the dev's have access to. Third, I am now informed that NM supports PEAP and other EAPs. Does it? Has anyone actually tried it? I hope so. In addition this ability is pretty well hidden in the lists of options that nm-applet displays. I would probably not have found it if Darren Albers had showed me how. I have used PEAP and EAP-TLS successfully before. It isn't really hidden, it is under connect to other network If NM detects a network using EAP then the PEAP or EAP-TLS options are shown. If your network is not broadcasting and you need to select the options manually you will need to select connect to other network so I /think/ all the places you would need to find it are covered. As Dan stated in an earlier post LEAP was different because you can't tell if it is just a normal WEP network or a LEAP network. I don't think LEAP networks set the privacy bit (ie, the WEP bit) in the beacon, which means you can't tell between LEAP or unencrypted networks. That's the same with 802.1x+Dynamic WEP too. Dan Ok, I keep learning new things and that is good. -- === To err is human -- to blame it on a computer is even more so. === Aaron Konstam telephone: (210) 656-0355 e-mail: [EMAIL PROTECTED] ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
