Versionen im Vergleich

Alte Version 16

changes.mady.by.user LANCOM Redaktion

Gespeichert am

verglichen mit

Neue Version 17

changes.mady.by.user LANCOM Redaktion

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

Description:
The following document describes how to configure LEPS (LANCOM Enhanced Passphrase Security) on a LANCOM access point and in a WLAN Controller scenario.
Info
What is LEPS-MAC?
LEPS-MAC uses an additional column in the ACL (access-control list) to assign an individual passphrase consisting of any 8 to 63 ASCII characters to each MAC address. Authentication at the access point is only possible with the correct combination of passphrase and MAC address.
This combination makes the spoofing of the MAC addresses futile—and LEPS-MAC thus shuts out a potential attack on the ACL. If WPA2 is used for encryption, the MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiated.
LEPS-MAC can be used both locally in the device and centrally managed by a RADIUS server. LEPS-MAC works with all WLAN client adapters available on the market without any modification. Full compatibility to third-party products is assured as LEPS-MAC only involves configuration in the access point.
Compared to LEPS-U, the administrative overhead is slightly higher because the MAC address has to be entered for each device.



Requirements:
Hinweis

In the encryption settings the method WPA2 must be used. WPA1 and WPA3 are not supported.

As of LCOS 10.42 a passphrase (PSK) must be entered when configuring the SSID in order for the SSID to be broadcasted! 



Procedure
1) Configuring LEPS-MAC on a standalone access point:
1.1) Go to the menu item Wireless LAN → Stations/LEPS → LEPS MAC, select the option transfer data from the listed stations... and open the menu Station rules
Info

Up to and including LCOS 10.12 this menu can be found under Wireless LAN → Stations → Station rules.

1.2) Modify the following parameters:
  • MAC address pattern: Enter the MAC address of a WiFi end device.
  • SSID pattern: Enter the wildcard * so that the WiFi end device has access to all SSIDs.
  • Name: Enter a descriptive name for the WiFi end device.
  • Passphrase: Enter the WiFi password, which should be used for this WiFi end device.
Info
Please observe that the passphrase can contain a maximum of 63 characters. No special characters may be used (accents, umlauts, etc.). The following characters can be used for the passphrase:
#ABCDEFGHIJKLMNOPQRSTUVWXYZ@{|}~!$%&'()*+-,/:;<=>?[\]^_.0123456789abcdefghijklmnopqrstuvwxyz

Regarding the parameters MAC address pattern and SSID pattern also see the following Knowledge Base article:
New features and functionality for the station rules table

Info
No changes have to be made to the WLAN client's configuration. All you have to do to associate with the WLAN network is to enter the passphrase for authentication.
The WLAN client is no longer able to use the global passphrase defined under Wireless LAN → General → Logical WLAN settings → WLAN interface x Network x → Encryption to to associate with a to associate with a WLAN WiFi network using this access point.



2) Configuring LEPS-MAC on a WLAN Controller:
2.1) Go to the menu RADIUS → Server and activate the option RADIUS authentication active to activate the RADIUS server.
Info

In contrast to the configuration on a standalone access point the RADIUS server on a WLAN Controller has to be activated, as the MAC filter works via RADIUS.

2.2) Go to the menu WLAN Controller → Stations/LEPS → Station rules.
2.3) Modify the following parameters:
  • MAC address pattern: Enter the MAC address of a WiFi end device.
  • SSID pattern: Enter the wildcard * so that the WiFi end device has access to all SSIDs.
  • Name: Enter a descriptive name for the WiFi end device.
  • Passphrase: Enter the WiFi password, which should be used for this specific WiFi end device
Info
Please observe that the passphrase can contain a maximum of 63 characters. No special characters may be used (accents, umlauts, etc.). The following characters can be used for the passphrase:
#ABCDEFGHIJKLMNOPQRSTUVWXYZ@{|}~!$%&'()*+-,/:;<=>?[\]^_.0123456789abcdefghijklmnopqrstuvwxyz

Regarding the parameters MAC address pattern and SSID pattern also see the following Knowledge Base article:
New features and functionality for the station rules table
Info
No changes have to be made to the WLAN client's configuration. All you have to do to associate with the WLAN network is to enter the passphrase for authentication.
The WLAN client is no longer able to use the global passphrase defined in the respective logical WLAN profile under WLAN Controller 802.11i/WEP → WPA or private WEP settingsProfiles → Logical WLAN networks (SSIDs) to associate with a WLAN WiFi network using this access point.