The Elektron LEAP service implements Cisco’s Lightweight Extensible Authentication Protocol. Like PEAP, TTLS, and EAP-TLS, LEAP was developed to provide user authentication for Wi-Fi networks. However, unlike these other protocols, LEAP does not use an encrypted channel to protect user credentials. Because of this, we recommended that the LEAP service remain stopped unless your network has clients that support only LEAP for authentication and that cannot be upgraded to support other, more secure protocols.
LEAP is a derivative of the MS-CHAP-V2 protocol. It uses a challenge-response mechanism to authenticate both the client and the server. Because the challenge-response data is not encrypted, an attacker can obtain the data to mount an offline attack to guess user passwords. Poorly chosen passwords can be quickly guessed, and the network compromised.
If you must enable LEAP, ensure that passwords are well chosen. They should be long (greater than eight characters), include a mixture of lower case characters, upper case characters, numbers and symbols, and not include any dictionary words.