Filter
Top Products
35-33
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
ACL Manager
Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS
accounting services.
LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP
authentication because they cannot send their credentials to the RADIUS server behind the central
site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they
have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP
packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a
RADIUS server before individual users authenticate. Then the users proceed with individual user
authentication.
LEAP Bypass works as intended under the following conditions:
–
The interactive unit authentication feature (intended for wired devices) must be disabled. If
interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the
hardware client before LEAP devices can connect using that tunnel.
–
Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).
–
Access points in the wireless environment must be Cisco Aironet Access Points. The wireless
NIC cards for PCs can be other brands.
–
The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).
–
The ASA 5505 or VPN 3002 can operate in either client mode or network extension mode.
–
LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.
Note Allowing any unauthenticated traffic to traverse the tunnel might pose a security risk.
• Allow Network Extension Mode—Restricts the use of network extension mode on the hardware
client. Select the option to let hardware clients use network extension mode. Network extension
mode is required for the hardware client to support IP phone connections, because the Call Manager
can communicate only with actual IP addresses.
Note If you disable network extension mode, the default setting, the hardware client can connect to
this security appliance in PAT mode only. If you disallow network extension mode here, be
careful to configure all hardware clients in a group for PAT mode. If a hardware client is
configured to use network extension mode and the security appliance to which it connects
disables network extension mode, the hardware client attempts to connect every 4 seconds, and
every attempt is rejected. In this situation, the hardware client puts an unnecessary processing
load on the security appliance to which it connects; large numbers of hardware clients that are
misconfigured in this way reduces the ability of the security appliance to provide service.
Modes
The following table shows the modes in which this feature is available:
Add/Edit Server and URL List
The Add or Edit Server and URL List dialog box lets you add, edit, delete, and order the items in the
designated URL list.