Description: The following document describes how to use LEPS-U (LANCOM Enhanced Passphrase Security - Users) to facilitate the configuration of separate access keys for each user of a Wi-Fi network on a LANCOM access point.
What is LEPS-U? LANCOM Enhanced Passphrase Security Users (LEPS-U) allows a set of passphrases to be configured and assigned to individual users or groups. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually. This is useful for onboarding devices into the network. For example, a network operator “onboarding” multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. The preshared key is used to map each user to a VLAN, thus automatically assigning them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, which assures full compatibility to third-party products. The security issue presented by global passphrases is fundamentally remedied by LEPS-U. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should “get lost” or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.
What happens in a WLC scenario, when the WLAN-Controller isn't available? The login data is shared with the access points. Thus the login via LEPS-U is also possible when the WLAN-Controller isn't available.
Requirements: - In a WLC scenario, all access points managed by the WLC must also be operated with firmware as of LCOS 10.20!
- To use LEPS-U no RADIUS Server and no 802.1x authentication is necessary. The configured authentication method is used.
- The MAC address check doesn't have to be activated in a WLC scenario.
Procedure: The LEPS-U profiles and LEPS-U users are configured in LANconfig under Wireless LAN → Stations/LEPS → LEPS-U. The option LEPS-U active enables the LEPS-U feature. When configured in LEPS-U, each user who should be able to authenticate client devices on the WLAN receives an individual passphrase. This is done with LEPS-U profiles, which avoids having to repeat all of the settings for every new user. You then create the LEPS-U users with their individual passphrases and link them to one of the LEPS-U profiles created previously.  - Name:
Enter a unique name for the LEPS-U profile here.
- SSID:
Here you select the SSID or, in the case of a WLC, the logical WLAN network for which the LEPS-U profile is valid. The only users who can authenticate at the SSID or, in the case of a WLC, at the logical WLAN network are those who are connected to it via the LEPS-U profile.
- Client TX bandwidth limit:
Here you can set a transmission bandwidth limit in kbps for authenticating WLAN clients.
- Client RX bandwidth limit:
Here you can set a reception bandwidth limit in kbps for authenticating WLAN clients.
- VLAN ID:
Here you specify which VLAN ID is assigned to a LEPS-U user who is connected to this profile.
LEPS-U users:Create individual LEPS-U users here. Each LEPS-U user must be linked with a previously created profile and assigned an individual WPA passphrase. Any client can then use this passphrase to authenticate at the SSID specified in the corresponding profile. The passphrase identifies the user, who is assigned to the VLAN specified in this table. If no VLAN is specified here, the user is assigned to the VLAN configured in the profile. Settings for the individual user thus take priority over settings in the profile.  - Name:
Enter a unique name for the LEPS-U user here.
- LEPS-U profile:
Select the profile for which the LEPS-U user is valid. The only users who can authenticate at the SSID are those who are connected to it via the LEPS-U profile.
- Passphrase:
Here you can specify the passphrase to be used by LEPS-U users to authenticate at the WLAN. The passphrase can be a string of 8 to 64 characters. We recommend that the passphrases consist of a random string at least 32 characters long.
- Client TX bandwidth limit:
Here you can set a transmission bandwidth limit in kbps for authenticating WLAN clients. If no limit is configured here, the limitation configured in the LEPS-U profile (if any) applies. If a limit is configured in both the LEPS-U profile and for the LEPS-U user, the limit configured for the LEPS-U user applies.
- Client RX bandwidth limit:
Here you can set a reception bandwidth limit in kbps for authenticating WLAN clients. If no limit is configured here, the limitation configured in the LEPS-U profile (if any) applies. If a limit is configured in both the LEPS-U profile and for the LEPS-U user, the limit configured for the LEPS-U user applies.
- VLAN ID:
Here you specify which VLAN ID is assigned to the LEPS-U user. If no VLAN-ID is configured here, the VLAN-ID configured in the LEPS-U profile (if any) applies. If a VLAN-ID is configured in both the LEPS-U profile and for the LEPS-U user, the VLAN-ID configured for the LEPS-U user applies.
| 
