Description: The following document describes how to use LEPS-U (LANCOM Enhanced Passphrase Security - Users) to facilitate the configuration of separate access keys for each user of a Wi-Fi network on a LANCOM access point.
What is LEPS-U? LANCOM Enhanced Passphrase Security Users (LEPS-U) allows a set of passphrases to be configured and assigned to individual users or groups. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually. This is useful for onboarding devices into the network. For example, a network operator “onboarding” multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. The preshared key is used to map each user to a VLAN, thus automatically assigning them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, which assures full compatibility to third-party products. The security issue presented by global passphrases is fundamentally remedied by LEPS-U. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should “get lost” or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential. What happens in a WLC scenario, when the WLAN-Controller isn't available? The login data is shared with the access points. Thus the login via LEPS-U is also possible when the WLAN-Controller isn't available.
Hinweis |
---|
LEPS-U only works with WPA 2 but not with WPA 3! LEPS-U doesn't work when the option WPA2/3 Key Management (Access Point) or WPA2 Key Management (WLAN-Controller) is set to Fast Roaming (or a combination which includes Fast Roaming). The option WPA2/3 Key Management or WPA2 Key Management can be found in the following menus: - Standalone Access Point: Wireless-LAN → General → Logical WLAN settingsEinstellungen → WLAN interface x - Network x → Encryption
- WLAN-Controller: WLAN Controller → Profiles → Logical WLAN networks (SSIDs)
As of LCOS version 10.42 you must enter a passphrase (PSK) in the configuration of the SSID so that the SSID is broadcasted! |
Requirements: - In a WLC scenario, all access points managed by the WLC must also be operated with firmware as of LCOS 10.20!
- To use LEPS-U no RADIUS Server and no 802.1x authentication is necessary. The configured authentication method is used.
- The MAC address check doesn't have to be activated in a WLC scenario.
Procedure: The LEPS-U profiles and LEPS-U users are configured in LANconfig under Wireless LAN → Stations/LEPS → LEPS-U. The option LEPS-U active enables the LEPS-U feature. |