LEPS-MAC: Setting up separate passwords for each device in a WiFi network via LEPS (LCOS)

Description:

The following document describes how to configure LEPS (LANCOM Enhanced Passphrase Security) on a LANCOM access point and in a WLAN Controller scenario.

What is LEPS-MAC?

LEPS-MAC uses an additional column in the ACL (access-control list) to assign an individual passphrase consisting of any 8 to 63 ASCII characters to each MAC address. Authentication at the access point is only possible with the correct combination of passphrase and MAC address.

This combination makes the spoofing of the MAC addresses futile—and LEPS-MAC thus shuts out a potential attack on the ACL. If WPA2 is used for encryption, the MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiated.

LEPS-MAC can be used both locally in the device and centrally managed by a RADIUS server. LEPS-MAC works with all WLAN client adapters available on the market without any modification. Full compatibility to third-party products is assured as LEPS-MAC only involves configuration in the access point.

Compared to LEPS-U, the administrative overhead is slightly higher because the MAC address has to be entered for each device.

Requirements:

LCOS as of version 7 (download latest version)
LANtools as of version 7 (download latest version)
The MAC check has to be activated in the logical WLAN network:
- Standalone acccess point: Wireless LAN → General → Logical WLAN settings → WLAN interface x - Network x → MAC filter enabled
- WLAN Controller: WLAN Controller → Profiles → Logical WLAN networks (SSIDs) → MAC check activated

In the encryption settings the method WPA2 must be used. WPA1 and WPA3 are not supported.

As of LCOS 10.42 a passphrase (PSK) must be entered when configuring the SSID in order for the SSID to be broadcasted!

Procedure

1) Configuring LEPS-MAC on a standalone access point:

No changes have to be made to the WLAN client's configuration. All you have to do to associate with the WLAN network is to enter the passphrase for authentication.

The WLAN client is no longer able to use the global passphrase defined under Wireless LAN → General → Logical WLAN settings → WLAN interface x Network x → Encryption to associate with a to associate with a WiFi network.

1.1) Configuring LEPS-MAC on a standalone access point via the station rules:

1.1.1) Go to the menu item Wireless LAN → Stations/LEPS → LEPS MAC, select the option transfer data from the listed stations... and open the menu Station rules.

Up to and including LCOS 10.12 this menu can be found under Wireless LAN → Stations → Station rules.

1.1.2) Modify the following parameters:

MAC address pattern: Enter the MAC address of a WiFi end device.
SSID pattern: Enter the wildcard * so that the WiFi end device has access to all SSIDs.
Name: Enter a descriptive name for the WiFi end device.
Passphrase: Enter the WiFi password, which should be used for this WiFi end device.

Please observe that the passphrase can contain a maximum of 63 characters. No special characters may be used (accents, umlauts, etc.). The following characters can be used for the passphrase:

#ABCDEFGHIJKLMNOPQRSTUVWXYZ@{|}~!$%&'()*+-,/:;<=>?[\]^_.0123456789abcdefghijklmnopqrstuvwxyz

Regarding the parameters MAC address pattern and SSID pattern also see the following Knowledge Base article:

New features and functionality for the station rules table

1.2) Configuring LEPS-MAC on a standalone access point with an external RADIUS server:

1.2.1) Connect to the access point via LANconfig, go to the menu item Wireless LAN → Stations/LEPS → LEPS MAC and select the option transfer data from the listed stations....

1.2.2) Go to the menu RADIUS server settings.

1.2.3) Erstellen Sie einen neuen Eintrag und passen die folgenden Parameter an:

Server address: Enter the IP address of the RADIUS server.
Secret: Enter a password, which the access point uses for authentication with the RADIUS server.

1.2.4) Go to the menu Wireless LAN → Stations/LEPS and select the option MAC address for the RADIUS server password source.

In this case the RADIUS server must support the RADIUS parameter LCS-WPA-Passphrase. If necessary, this parameter has to be implemented by importing a suitable dictionary into the RADIUS server.

2) Configuring LEPS-MAC on a WLAN Controller:

No changes have to be made to the WLAN client's configuration. All you have to do to associate with the WLAN network is to enter the passphrase for authentication.

The WLAN client is no longer able to use the global passphrase defined in the respective logical WLAN profile under WLAN Controller → Profiles → Logical WLAN networks (SSIDs) to associate with a WiFi network.

2.1) Configuring LEPS-MAC on a WLAN Controller via the station rules:

2.1.1) Go to the menu RADIUS → Server and activate the option RADIUS authentication active to activate the RADIUS server.

In contrast to the configuration on a standalone access point the RADIUS server on a WLAN Controller has to be activated, as the MAC filter works via RADIUS.

2.1.2) Go to the menu WLAN Controller → Stations/LEPS → Station rules.

2.1.3) Modify the following parameters:

MAC address pattern: Enter the MAC address of a WiFi end device.
SSID pattern: Enter the wildcard * so that the WiFi end device has access to all SSIDs.
Name: Enter a descriptive name for the WiFi end device.
Passphrase: Enter the WiFi password, which should be used for this specific WiFi end device.

Please observe that the passphrase can contain a maximum of 63 characters. No special characters may be used (accents, umlauts, etc.). The following characters can be used for the passphrase:

#ABCDEFGHIJKLMNOPQRSTUVWXYZ@{|}~!$%&'()*+-,/:;<=>?[\]^_.0123456789abcdefghijklmnopqrstuvwxyz

Regarding the parameters MAC address pattern and SSID pattern also see the following Knowledge Base article:

New features and functionality for the station rules table

2.2) Configuring LEPS-MAC on a WLAN Controller via an external RADIUS server:

2.2.1) Connect to the WLAN Controller via LANconfig and go to the menu WLAN Controller → Profiles → RADIUS profiles.

2.2.2) Click Add, to create a new RADIUS profile.

The existing default profiles DEFAULT and BACKUP must not be modified. As the profile DEFAULT is assigned to every logical WLAN network, this could otherwiese have an impact on existing WLAN networks.

2.2.3) Modify the following parameters:

Name: Enter a descriptive name for the profile (in this example RADIUS-EXT).
IP address: Enter the IP address of the RADIUS server.
Secret: Enter a password, which the access points use for authentication with the RADIUS server.

The RADIUS profile is rolled out to the access points together with the WLAN profile. As a result, the access points will communicate with the RADIUS server directly. Therefore requests from the access points have to be allowed in the RADIUS server.

In the default configuration, the access points use the parameter Secret as the RADIUS server password source (see step 1.2.4). In this case, the MAC address has to be entered as the user name and the Secret from the RADIUS profile has to be entered as the password for the user on the external RADIUS server.

As an alternative the RADIUS server password source can be set to MAC address on the access point (see step 1.2.4). In this case, the MAC address must be entered as the user name and the password for the user on the external RADIUS server.

The MAC address for the user name and the password must be entered in the format aabbcc-ddeeff.

2.2.4) Go to the menu WLAN Controller → Profiles → Logical WLAN networks (SSIDs).

2.2.5) Edit the logical WLAN network to be used with LEPS-MAC and modify the following parameters:

In the dropdown menu for the RADIUS profile select the profile created in step 2.2.3.
Activate the option MAC check activated.

Seitenhierarchie

Service & Support

Links