Cisco™ introduced a mutual authentication method called LEAP. This is used to generate a session key to be used on wireless networks.
This is available as a RADIUS Server module called "LEAP". LEAP authentication is performed in the AccessImpl implementation. The service maintains a state that the implementation uses to determine progress. The first state is the initialization state where the implementer creates the parameters necessary for authentication. The LEAP protocol is handled during the intermediate state until the final completed state is returned.
In this short description exceptions are ignored.
First we get a new module or recover an existing one.
LEAP leap = (LEAP) auth.getModule("LEAP", auth);
Then the leap state is recovered and we test to see if we must initialize the LEAP module. The LEAP module provides the User-Name which should be checked against the list of valid login names. If the name isn't found create the Identity Failure packet. This is a departure from most RADIUS and EAP protocols as it reveals system information by letting the client know the User-Name doesn't exist and a weakness in LEAP. The initialization should also retrieve the plaintext password at this time.
There is an opportunity to set the LEAP-Identity to a User-Name with the realm stripped using the setParameters() method.
if (leap.getState() == LEAP.STATE_INITIALIZE) {
// Get the name and password from somewhere.
String userName = getName();
String password = getPassword();
// If we can't find the user name in our list create the
// identity failure response.
if (name == null) {
leap.createIdentityFailure(auth.getRequestAttributeList(), userName);
} else {
// Name is ok, continue the protocol. In this case
// we don't set a separate identity value and use the
// userName for both.
leap.setParameters(userName, (String) null, Util.toUTF8(password));
}
leap.process(auth);
if (leap.getState() == LEAP.STATE_COMPLETED) {
// Add attributes for configuring if necessary.
AttributeList r = new AttributeList();
r.addAttribute(Attribute.Reply_Message, "Got your session key.");
auth.appendResponseAttributes(r);
}
There is an example of the server side LEAP protocol in the file com/theorem/radserver3/examples/server/FileAccess.java. Look for the method performLEAP(AuthInfo auth).