Description:
This article describes how to set up LEPS-U with dynamic VLAN on an access point with LCOS LX.
What is LEPS-U?
LANCOM Enhanced Passphrase Security User (LEPS-U) allows different users to be created, each with their own separate passphrase. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually.
This can be used for onboarding devices to the network, for example when a network operator wants to onboard multiple Wi-Fi devices to different areas of their network, but does not want to configure the devices since the users of the devices should do it themselves. In this case, users are given their own individual pre-shared key for the company Wi-Fi to use with their own devices.
The pre-shared key is used to map each user to a VLAN, which automatically assigns them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, so assuring full compatibility to third-party products.
The security issue presented by global passphrases is remedied by LEPS- U. Each user gets their own individual passphrase. If a passphrase assigned to a user should get lost or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.
LEPS on LANCOM access points with LCOS LX is only compatible with WPA2.
Requirements:
- LCOS LX as of version 6.10 (download latest version)
- LANtools from version 10.72 (download latest version)
Procedure:
1) Connect to the access point via LANconfig, switch to the menu Wireless-LAN → WLAN-Networks and choose the Country where the access point is operated.
2) Open the menu Wireless-LAN → WLAN-Networks → Network.
3) Adjust the following parameters:
- Network-Name: Enter a descriptive name for the Wi-Fi network (in this example LEPS-U).
- SSID Name: Give the SSID a descriptive name.
- Key (PSK): Enter any WPA key. In this scenario, this only serves as a placeholder and is not used.
- VLAN-ID: Check that the VLAN-ID is set to 0.
4) Go to the menu Wireless-LAN → Stations/LEPS and set LEPS active to the option Yes.
5) Open the menu Wireless-LAN → Stations/LEPS → Profiles.
6) Create a new profile and adjust the following parameters:
- Name: Enter a descriptive name for the LEPS-U profile (in this example LEPS-U-Profile).
- Network-Name: From the drop-down menu, select the Wi-Fi network (in this case LEPS-U) created in step 3.
- Check MAC Address: Check that the option Disabled is selected.
- VLAN: Enter the VLAN ID of a default network to be used by LEPS-U users for communication (in this example the VLAN ID 50).
7) Open the menu Wireless-LAN → Stations/LEPS → Users.
8) Create a new entry to add a default user. This user should have access to the default network (VLAN ID is entered into the LEPS-U profile).
Adjust the following parameters:
- Name: Enter a descriptive name for the LEPS-U user (in this example Default-User).
- Profile: Select the LEPS-U profile created in step 6 (in this case LEPS-U-Profile).
- WPA-Passphrase: Enter a WPA key for the LEPS-U user (in this example Default-User). This must be used in the Wi-Fi device instead of the WPA key stored for the Wi-Fi network.
- VLAN: Leave the VLAN ID at the value 0. This means that the VLAN ID stored in the LEPS-U profile (see step 6) is automatically assigned to this user.
9) Create another new entry to add a special user. This user should have access to a special network (VLAN ID is entered into the LEPS-U user)
Adjust the following parameters:
- Name: Enter a descriptive name for the LEPS-U user (in this example User-1).
- Profile: Select the LEPS-U profile created in step 6 (in this case LEPS-U-Profile).
- WPA-Passphrase: Enter a WPA key for the LEPS-U user (in this User-Password). This must be used in the Wi-Fi device instead of the WPA key stored for the Wi-Fi network.
- VLAN: Enter the VLAN ID of a network to be used by this user for communication (in this example the VLAN ID 51). A VLAN ID entered into the LEPS-U user always has priority over the VLAN ID stored in the LEPS-U profile.
10) This concludes the configuration of LEPS-U with dynamic VLAN. You can now write the configuration back to the device.
