Re: Implementation of LEAP kind of Security Mechanism on HostAP

From: Jacques Caron (
Date: 2002-09-21 13:16:05 UTC


I think the main difference between LEAP and 802.1X is that LEAP is implemented as an 802.11 authentication method (so before authentication) rather than encapsulated in 802.11 data frames with a specific Ethertype.

Afaik, the keys are not transmitted in MS-MPPE-Send/Recv-Key VSA, but using a cisco VSA instead. It might have changed in the meantime, of course, and I know the cisco APs support the MS VSAs with other EAP methods very well.

There is an analysis of the protocol (at least on the RADIUS side) here:

But I definitely agree with Jouni that it would be a lot better to concentrate on standards like 802.1X rather than proprietary protocols.


At 15:04 21/09/2002, Jouni Malinen wrote:
>On Thu, Sep 19, 2002 at 09:56:49AM +0530, Manjunathan PY wrote:
> > I am planning to implement Cisco's LEAP kind of Security Mechanism on
> > latest version of HostAP driver.
> >
> > Now that 802.1x is implement in HostAP , is possible for me to add LEAP
> > security mechanism with dynamic wep keys to HOSTAP,
>With 802.1x support, there should not really be that much need for
>LEAP.. Full EAP allows multiple authentication methods and at least I
>would prefer using standard mechanism over proprietary solutions..
>If you want to implement LEAP, it should be quite easy with the current
>hostapd implementation. I have only browsed quickly through LEAP
>description, so I haven't checked every detail. Anyway, it seems to be
>quite similar to IEEE 802.1X. hostapd has code for generic RADIUS
>message handling, so this could be used also with LEAP. In addition,
>keys are apparenly sent using similar mechanism (MS-MPPE-Send-Key
>attribute) so also that code can be reused.
>Jouni Malinen PGP id EFC895FA

This archive was generated by hypermail 2.1.4.