LCOS LX version and syntax description
This document describes the security-relevant settings of LCOS LX-based access points. It serves as a reference for device administration and secure operation of LANCOM access points.
The described settings apply to devices with at least LCOS LX version 7.10. To ensure comprehensive protection, especially in the area of central administration, the functions of this LCOS LX version are required.
For all listed configuration parameters, the associated command line path, the required commands for parameter setting and recommendations for setting security-relevant values are displayed.
Please observe the minimum requirements for secure passwords:
In order to meet the minimum password requirement, the following requirements should be implemented. All passwords must not appear in the dictionary, should not contain personal data (e.g. date of birth, pet name) and should not be a keyboard pattern (e.g. "qwertz").
It can be derived from a mnemonic sentence and has to use all four character sets (uppercase letters, lowercase letters, numerals and special characters) (e.g. our special purpose association consists of 13 municipalities and we all really enjoy working there! => UZba13Guwaawsgd!).
Note: It is essential to devise your own pass phrase!
The password should be at least 10 characters long or contain at least the technically maximum possible digits. This also applies to passwords for accessing sensitive areas, e.g. the passwords for system administrators.
To meet the complexity requirements, all of the following character sets must be used:
- Capital letters (A to Z)
- Lowercase letters (a to z)
- Digits (0 to 9)
- Special characters (e.g. !, $, -, %)
If this is not possible, at least the technically possible character sets must be used.
Also observe the guidelines of the German Federal Office for Information Security for creating secure passwords .
Document in PDF format:
SNMP:
This menu contains the configuration of SNMP.
Path of console:
Setup
Parameters | Path | Description |
Send traps | Setup → SNMP | In case of serious errors, e.g. unauthorized access, the device can automatically send an error message to one or more SNMP managers. Switch on this option and enter the targets on which these SNMP managers are installed in the Target Addresses table. |
Port | Setup → SNMP | This parameter specifies the port via which the SNMP service can be accessed by external programs such as LANmonitor. |
Admitted protocols | Setup → SNMP | Activate the SNMP versions that the device should support for SNMP requests and SNMP traps here. |
Allow admins | Setup → SNMP | If registered administrators (including the root user) should also be given access via SNMPv3, enable this option. |
Operating | Setup → SNMP | This entry enables or disables SNMP traps. |
Recommendations:
- Setup → SNMP → Admitted Protocols: SNMPv3.
- Setup → SNMP → Allow-Admins: No (only in exceptional cases "Yes")
- Setup → SNMP → Operating: Yes (only if trap receivers are defined, otherwise "No")
Communities
SNMP agents and SNMP managers belong to SNMP communities. These communities combine certain SNMP hosts into groups to make them easier to manage. On the other hand, SNMP communities offer limited security when accessing via SNMP, since an SNMP agent only accepts SNMP requests from users whose community it knows. Configure the SNMP communities in this table.
Path of console:
Setup → SNMP
Parameters | Path | Description |
Name | Setup → SNMP → Communities | Enter a meaningful name for this SNMP community here. |
Security name | Setup → SNMP → Communities | Enter the name of the access policy that defines the access rights for all community members. |
State | Setup → SNMP → Communities | Use this entry to enable or disable this SNMP community. |
Recommendations:
- Deactivate or delete the "public" default community.
- Never leave the predefined community "public" active, since it is generally known and allows unauthorized read access.
- Use your own communities with complex names.
- Community names should be treated like passwords: at least 16 characters, random combination of uppercase/lowercase letters, numbers and special characters.
- Deactivate unneeded communities.
- Set to Inactive or delete completely communities that are not in use.
Groups
Configuring SNMP groups makes it easy for multiple users to manage and assign authentication and access rights.
Path of console:
Setup → SNMP
Parameters | Path | Description |
Security model | Setup → SNMP → Groups | SNMPv3 introduced the security model principle, so that the SNMP configuration of LCOS LX mainly uses the security model SNMPv3. |
Security name | Setup → SNMP → Groups | Select a security name that you have assigned to an SNMP community here. It is also possible to specify the name of a user that has already been configured. |
Group name | Setup → SNMP → Groups | Enter a descriptive name for this group. You will then use this name when configuring the access rights. |
State | Setup → SNMP → Groups | Enables or disables this group configuration. |
Recommendations:
- Setup → SNMP → Groups → Security Model: Use SNMPv3_USM (AuthPriv with SHA + AES).
- Setup → SNMP → Groups → Status: Activate only necessary groups and deactivate the rest.
Accesses
This table summarizes the different configurations for access rights, security models and views.
Path of console:
Setup → SNMP
Parameters | Path | Description |
Security model | Setup → SNMP → Accesses | Activate the appropriate security model here. |
Read-View-Name | Setup → SNMP → Accesses | Determine the view of the MIB entries for which this group should be given read rights. |
Write-view name | Setup → SNMP → Accesses | Determine the view of the MIB entries for which this group should be given write permissions. |
Notify View Name | Setup → SNMP → Accesses | Determine the view of the MIB entries for which this group should be given the Notify rights. |
State | Setup → SNMP → Accesses | Enables or disables this entry. |
Min-security level | Setup → SNMP → Accesses | Specify the minimum security to apply to access and data transfer. |
Recommendations:
- Setup → SNMP → Accesses → Security Model: SNMPv3_USM use.
- Setup → SNMP → Accesses → Write-View-Name: Leave blank and define only if absolutely necessary.
- Setup → SNMP → Accesses → Status: Activate only necessary entries.
- Setup > SNMP > Accesses → Min-Security-Level: use AuthPriv (SHA+AES).
Views
This table summarizes various values or entire branches of the instrument's MIB that a user can view or modify in accordance with their access rights.
Path of console:
Setup → SNMP
Parameters | Path | Description |
View name | Setup → SNMP → Views | Give the view a descriptive name here. |
OID subtree | Setup → SNMP → Views | Determine which values and actions of the MIB this view should include by specifying the respective OIDs in a comma-separated manner. |
Type | Setup → SNMP → Views | Determine whether the following OID subtrees are included or not included in the view. |
State | Setup → SNMP → Views | Enables or disables this view. |
Recommendations:
- Setup → SNMP → Views → OID subtree: Only use relevant monitoring OIDs (e.g. ifTable, system status).
- Setup → SNMP → Views → Type: Included for necessary OIDs and Excluded for sensitive OIDs.
- Setup → SNMP → Views → Status: Activate only necessary views and deactivate the rest.
Users
This menu contains the user configuration.
Path of console:
Setup → SNMP
Parameters | Path | Description |
User name | Setup → SNMP → Users | Enter the SNMPv3 user name here. |
Authentication protocol | Setup → SNMP → Users | Determine the procedure that the user must use to authenticate to the SNMP agent. |
Authentication Password | Setup → SNMP → Users | Enter the password of the user here that is required for authentication. |
Privacy password | Setup → SNMP → Users | Enter the password of the user required for the encryption. |
State | Setup → SNMP → Users | Enables or disables this user. |
Authentication-Password-Type | Setup → SNMP → Users | Password for authentication. For example, if you want to enter a new password there via the console, you must first change the type here to "Plaintext". A password can then be entered in plain text. LCOS LX will then encrypt the password and reset this value to "Masterkey". |
Privacy password type | Setup → SNMP → Users | Password for encryption. For example, if you want to enter a new password there via the console, you must first change the type here to "Plaintext". A password can then be entered in plain text. LCOS LX will then encrypt the password and reset this value to "Masterkey". |
Recommendations:
- Setup → SNMP → Users → Authentication Protocol: HMAC-SHA256 or later.
- Setup → SNMP → Users → Authentication Password: Long, complex password, rotate regularly.
- Setup → SNMP → Users → Privacy Protocol: AES256
- Setup → SNMP → Users → Privacy Password: Use separate, complex password. Must not be the same authentication password.
- Setup → SNMP → Users → Authentication/Privacy Password Type: Use masterkey (standard). Plaintext allowed only if entered briefly.
- Setup → SNMP → Users → Status: Use only active and required users.
Target addresses
In the list of receiver addresses, configure the receivers to which the SNMP agent sends the SNMP traps.
Path of console:
Setup → SNMP
Parameters | Path | Description |
Name | Setup → SNMP → Target Addresses | Enter the destination address name here. |
Transport address | Setup → SNMP → Target Addresses | The transport address describes the IP address and port number of an SNMP trap receiver and is specified in the syntax <IP address>:<port> (e.g. 128.1.2.3:162). UDP port 162 is used for SNMP traps. |
Parameter name | Setup → SNMP → Target Addresses | Select the desired entry from the list of receiver parameters. |
State | Setup → SNMP → Target Addresses | Enables or disables this destination address. |
Recommendations:
- Setup → SNMP → Target Addresses → Status: Activate only productive targets and deactivate the rest.
Target params
This table configures how the SNMP agent handles the SNMP traps it sends to the recipients.
Path of console:
Setup → SNMP
Parameters | Path | Description |
Name | Setup → SNMP → Target Params | Enter a descriptive name for the entry. |
Message processing model | Setup → SNMP → Target Params | Determine here which protocol the SNMP agent uses to structure the message. |
Security model | Setup → SNMP → Target Params | Use this entry to define the security model. |
Security name | Setup → SNMP → Target Params | Select a security name that you have assigned to an SNMP community here. It is also possible to specify the name of a user that has already been configured. |
Security level | Setup → SNMP → Target Params | Define the security level to be used to receive SNMP traps to the receiver. |
State | Setup → SNMP → Target Params | Enables or disables this entry. |
Recommendations:
- Setup → SNMP → Target Params → Message Processing Model: Use SNMPv3.
- Setup → SNMP → Target Params → Security Model: SNMPv3_USM use.
- Setup → SNMP → Target-Params → Security-Level: Use AuthPriv.
- Setup → SNMP → Target-Params → Status: Active (for productive entries only)
Config:
Contains the general configuration settings.
Path of console:
Setup
Parameters | Path | Description |
Administrator | Setup → Config | Name of the device administrator. Used for display purposes only. |
Config-aging-minutes | Setup → Config | Here you can specify how many minutes of inactivity a configuration connection over TCP (e.g. SSH connection) will be automatically terminated. |
Admins | Setup → Config | For administrators who may have limited rights, create this table. |
Administrator | Setup → Config → Admins | Administrator login in this row of the table. |
Function rights | Setup → Config → Admins | Activate the administrator's function rights here in this row of the table. |
Rights | Setup → Config → Admins | The administrator rights in this row of the table. |
Hashed password | Setup → Config → Admins | Hash value of the administrator password in this row of the table. |
Recommendations:
- Setup → Config → Admins → Administrator: Use individual user name per administrator.
- Setup → Config → Admins → Function-Rights / Rights: Only assigned required rights (last privilege).
Tacacs plus
Configure authentication, authorization and accounting (AAA) using the TACACS+ protocol. If this feature is active, admin logins against the TACACS+ server are checked and displayed and modified configuration items are transferred to the TACACS+ server for release and/or logging.
Path of console:
Setup → Config
Parameters | Path | Description |
Operating | Setup → Config → TACACS Plus | Turns the use of TACACS+ on or off. |
internal-fallback-allowed | Setup → Config → TACACS Plus | If this option is activated, a login with local user data can be performed for TACACS+ servers that cannot be reached. |
Server address | Setup → Config → TACACS Plus | The IP address of the primary TACACS+ server. |
Server port | Setup → Config → TACACS Plus | The port of the primary TACACS+ server. |
Server Secret | Setup → Config → TACACS Plus | The key used to communicate with the primary TACACS+ server. |
Spare server address | Setup → Config → TACACS Plus | The IP address of the backup TACACS+ server. |
Spare server port | Setup → Config → TACACS Plus | The backup TACACS+ server port. |
spare server secret | Setup → Config → TACACS Plus | The key used to communicate with the backup TACACS+ server. |
Recommendations:
- Setup → Config → Tacacs-Plus → Operating: Yes
- Setup → Config → Tacacs-Plus → Internal fallback-allowed: No
- Setup → Config → Tacacs-Plus → Server Address: Use internal management IP (e.g. 10.0.0.10).
- Setup → Config → Tacacs-Plus → Server port: 49
- Setup → Config → Tacacacs-Plus → Server-Secret: Use strong, complex secret with at least 32 characters.
- Setup → Config → Tacacs-Plus → Spare Server Address: Use internal backup IP (e.g. 10.0.0.11).
- Setup → Config → Tacacs-Plus → Spare Server Port: 49
- Setup → Config → Tacacs-Plus → Spare Server-Secret: Use a strong and separate secret.
SSH
Configure SSH settings here.
Path of console:
Setup → Config
Parameters | Path | Description |
RSA hostkey length | Setup → Config → SSH | The length of the SSH host key can be selected between 2048 bits and 4096 bits. After changing the setting, the hostkey is immediately regenerated. |
Root hashed | Setup → Config → SSH | Hash value of the administrator root password. |
Recommendations:
- Setup → Config → SSH → RSA-Hostkey-Length: 4096 bits use key length.
Wireless LAN:
Configuration settings for WLAN parameters.
Path of console:
Setup → WLAN
Network
Configure all general settings for the WLAN networks (SSIDs) to be broadcast. For each WLAN network, add a row to the table. By default, the table is empty.
Path of console:
Setup → WLAN
Parameters | Path | Description |
Network name | Setup → WLAN → Network | Configure a suitable name for the WLAN network here. This internal name is used to reference the interface configuration in further parts of the configuration. |
SSID name | Setup → WLAN → Network | Configure the externally visible SSID name here. This name is displayed on the WLAN clients when searching for WLAN networks. |
Closed network | Setup → WLAN → Network | Configure here whether the configured SSID should be displayed by clients during network scanning. If the SSID broadcast is suppressed, the access point no longer responds to probe requests with an empty SSID. In this case, the SSID must be explicitly entered and configured on the client in order to set up a connection. |
Max Stations | Setup → WLAN → Network | The number indicates how many clients can be registered in the WLAN network at the same time before the request of another client is rejected. |
Inter-station traffic | Setup → WLAN → Network | Depending on the application, it is desirable or not desirable for the WLAN clients connected to an access point to communicate with other clients. Configure here whether the WLAN clients should be allowed to communicate within the WLAN network. |
Client isolation | Setup → WLAN → Network | The client isolation can be configured to prevent WLAN clients from communicating with each other or with generally prohibited targets in the network. In this case, all data traffic originating from WLAN clients to targets not explicitly recorded in a whitelist is prohibited. The client isolation can be switched on for each SSID. |
Min Client Strength | Setup → WLAN → Network | Configure here the minimum signal strength in percent with which a client must be "seen" by the access point so that it is allowed to log on to the WLAN network. |
Exclude-from-client management | Setup → WLAN → Network | Excludes this SSID from the band steering if necessary. |
Time frame | Setup → WLAN → Network | Enter the name of a time frame by which this SSID is switched on and off in a time-controlled manner. |
Block multicast | Setup → WLAN → Network | This can be used to block multicasts sent from or received by WLAN clients. IPv4 and IPv6 can be distinguished. |
Bridge | Setup → WLAN → Network | If used internally for WLC operation or if L2TP is used, the L2TP interface must be entered here. |
Key | Setup → WLAN → Network | Configure the pre-shared key (PSK) used for the WLAN network here. |
Encryption profile | Setup → WLAN → Network | Configure here an encryption profile from the data available in Setup → WLAN → Encryption which defines which authentication and encryption method should be used for the SSID. |
Idle timeout | Setup → WLAN → Network | This is the time in seconds after which a client is disconnected when the access point has no longer received packets from it. All data traffic of the client resets this timeout. |
Recommendations:
- Setup → WLAN → Network → Inter-Station Traffic: Yes (if clients are to communicate with each other).
- Setup → WLAN → Network → Client Isolation: No (No isolation, internal communication allowed).
- Setup → WLAN → Network → Min-Client-Strength: 20 (very weak connections are prevented).
- Setup → WLAN → Network → Block multicast: No (multicast traffic, e.g. for printer/streaming, remains allowed)
- Setup → WLAN → Network → Key: Strong WPA3-PSK password (high security for WLAN access).
- Setup → WLAN → Network → Idle Timeout: 600 s (separates inactive clients after 10 minutes and thus protects resources)
Encryption
Configure here all settings related to the encryption and authentication of WLAN networks. By default, some encryption profiles are already stored and can be used in the configuration of WLAN networks.
Path of console:
Setup → WLAN
Parameters | Path | Description |
Profile name | Setup → WLAN → Encryption | Select a suitable name for the encryption profile here. This internal name is used to reference the encryption profile in further parts of the configuration. |
Encryption | Setup → WLAN → Encryption | Configure here whether the WLAN network is to be encrypted or not to use encryption (Open Network). |
Method | Setup → WLAN → Encryption | Configure the encryption method here. |
WPA version | Setup → WLAN → Encryption | Configure the WPA version used for the 802.11i-WPA-PSK and 802.11i-WPA-802.1X encryption methods here. |
WPA rekeying cycle | Setup → WLAN → Encryption | A 48-bit initialization vector (IV) made it difficult for WEP to calculate the key for attackers. WPA also introduced the use of a new key for each data packet (per-packet key mixing and re-keying). Repetition of the real key consisting of the IV and WPA keys would take place only after 16 million packets. In heavily used WLANs, this takes several hours. To prevent the real key from being repeated, WPA provides for an automatic renegotiation of the key at regular intervals. This prevents the real key from being repeated. |
WPA1 session key types | Setup → WLAN → Encryption | Configure here which session key type is used for WPA version 1. This also influences the encryption method used. |
WPA2-3 session key types | Setup → WLAN → Encryption | Configure here which session key type is to be offered for WPA version 2 or 3. This also influences the encryption method used. |
Prot. Mgmt frames | Setup → WLAN → Encryption | The management information transmitted in a WLAN for setting up and operating data links is unencrypted as standard. Anyone within a WLAN cell can receive and evaluate this information, even if they are not logged into an access point. Although this does not pose any danger to an encrypted data link, it can severely disrupt communications within a WLAN cell due to fake management information. |
Prot. beacons | Setup → WLAN → Encryption | The IEEE 802.11be (Wi-Fi 7) standard specifies the use of beacon protection. This can be configured here. |
Pre-authentication | Setup → WLAN → Encryption | Fast authentication via the Pairwise Master Key (PMK) only works if the WLAN client has previously logged on to the AP. To shorten the time required to log on to the AP when the first login attempt is made, the WLAN client uses pre-authentication. Normally, a WLAN client scans the environment in the background for existing APs so that it can reconnect to one of them if necessary. APs that support WPA2/802.1X can communicate their ability to pre-authenticate to the requesting WLAN clients. WPA2 pre-authentication differs from normal 802.1X authentication in the following processes:
|
OKC | Setup → WLAN → Encryption | This option enables or disables opportunistic key caching (OKC). |
WPA2 key management | Setup → WLAN → Encryption | Determine here which standard the WPA2 key management should work according to. |
PMK-IAPP-Secret | Setup → WLAN → Encryption | This pass phrase is used to implement encrypted opportunistic key caching. This is required to use fast roaming via IAPP. Each interface must be assigned an individual IAPP passphrase in the WLAN connection settings. This is used to encrypt the pairwise master keys (PMKs). This allows access points with matching IAPP passphrase (PMK-IAPP-Secret) to exchange PMKs with each other and ensure uninterrupted connections. Therefore, make sure that this pass phrase is identical on all access points between which fast roaming is to be used. |
RADIUS server profiles | Setup → WLAN → Encryption | Configure the RADIUS server profile here, which is used when using 802.1X. If PSK-based encryption methods are used, no entry is required here. |
SAE/OWE groups | Setup → WLAN → Encryption | Contains the selection of the Diffie-Hellman groups offered as bit masks on the basis of which the protocol partners create a key for data exchange. The available groups use elliptic curves. |
Recommendations:
- Setup → WLAN → Encryption → Encryption: Yes (always enable encryption for secure data transmission).
- Setup → WLAN → Encryption → Method: 802.11i-WPA-PSK or 802.11i-WPA-802.1X (Secure methods for PSK or RADIUS).
- Setup → WLAN → Encryption → WPA version: WPA3 (maximum security, modern WLAN clients support this).
- Setup → WLAN → Encryption → WPA rekeying cycle: 3600 s (renew the key on a regular basis because it protects against key repetition).
- Setup → WLAN → Encryption → WPA2-3 session key types: AES-CCMP-256 or AES-GCMP-256 (works only with compatible clients. Avoid using TKIP as it is no longer considered safe).
- Setup → WLAN → Encryption → Prot. Mgmt Frames: Mandatory (encrypt management frames, protects against manipulation).
- Setup → WLAN → Encryption → Prot. beacons: Yes (beacon protection enabled for Wi-Fi 7,).
- Setup → WLAN → Encryption → Pre-Authentication: Yes (faster login while roaming between access points).
- Setup → WLAN → Encryption → WPA2 key management: standard+fast roaming (roaming for modern WLAN clients, standard for legacy clients).
- Setup → WLAN → Encryption → PMK-IAPP-Secret: Identical on all access points (secure fast roaming via IAPP).
- Setup → WLAN → Encryption → RADIUS Server Profiles: Only necessary for 802.1X, otherwise leave blank (PSK does not require a RADIUS).
- Setup → WLAN → Encryption → Select the highest available groups when using WPA3. Otherwise, this is not relevant.
Client-isolation-allowed
Configure the allowed targets for client isolation here.
Path of console:
Setup → WLAN
Parameters | Path | Description |
Network name | Setup → WLAN → Client isolation - Allowed | Select here the network / SSID to which the entry should apply. Then, optionally acquire a destination IP address. |
IP network word | Setup → WLAN → Client isolation - Allowed | Allowed destination IP address for this network. |
MAC address | Setup → WLAN → Client isolation - Allowed | Allowed destination MAC address for this network. |
Recommendations:
- Setup → WLAN → Client-Isolation-Allowed → Network Name: Select SSID (activate isolation only for the desired WLAN).
- Setup → WLAN → Client isolation - Allowed → IP network: Enter the IP addresses of the allowed targets (e.g. printers or servers that need to be reachable).
- Setup → WLAN → Client isolation-Allowed → MAC-Address: Enter the MAC addresses of the allowed devices (additional security for certain devices).
LEPS
LANCOM Enhanced Passphrase Security (LEPS) allows you to assign user-defined passphrases to WLAN stations without first having to record the stations by their MAC address. Alternatively, a MAC address filter can also be implemented.
Path of console:
Setup → WLAN
Parameters | Path | Description |
Operating | Setup → WLAN → LEPS | Turns LEPS on or off. In the switched-off state, the created LEPS users are ignored when logging on to WLAN clients. |
Profiles | Setup → WLAN → LEPS | Configure LEPS profiles here and connect them to an SSID. The LEPS profiles can then be assigned to the LEPS users. You can overwrite the profile values for a user with individual values. |
Name | Setup → WLAN → LEPS → Profiles | Enter a unique name for the LEPS profile here. |
Network name | Setup → WLAN → LEPS → Profiles | Select the SSID here or, for the WLC, the logical WLAN network for which the LEPS profile is to be valid. Only LEPS users can log on to the SSID or to the WLC on the logical WLAN network to which they are connected via the LEPS profile. |
Mac list | Setup → WLAN → LEPS → Profiles | Here you can specify whether and how the MAC addresses are to be checked. |
VLAN | Setup → WLAN → LEPS → Profiles | Here you can define which VLAN a LEPS user connected to this profile will be assigned. |
Users | Setup → WLAN → LEPS | Create individual LEPS users here. Every LEPS user must be connected to a previously created profile. |
Name | Setup → WLAN → LEPS → Users | Enter a unique name for the LEPS user. |
Profiles | Setup → WLAN → LEPS → Users | Select the profile for which the LEPS user should be valid here. Only LEPS users can log on to the SSID to which they are connected via the LEPS profile. |
WPA passphrase | Setup → WLAN → LEPS → Users | Enter the passphrase that the LEPS user should use to log on to the WLAN. |
VLAN | Setup → WLAN → LEPS → Users | Here you can define which VLAN the LEPS user will be assigned to. If no VLAN is configured here, any VLAN configured in the LEPS profile applies. If a VLAN is configured both in the LEPS profile and on the LEPS user, the VLAN ID configured on the LEPS user applies. |
MAC address | Setup → WLAN → LEPS → Users | Optional specification of a MAC address for a MAC filter. Depending on the setting in the profile, this entry is ignored or only the client devices listed in this table can log on (whitelist). Using a blacklist, the MAC filter works exactly the opposite way - the specified MAC addresses cannot log on. |
Recommendations:
- Setup → WLAN → LEPS → Operating: Yes (enable LEPS so that users can use individual passphrases).
- Setup → WLAN → LEPS → Users → Profile: "OfficeLEPS" (connection to the previously created profile).
- Setup → WLAN → LEPS → Users → WPA-Passphrase: Use individual strong passphrase (security for each user).
- Setup → WLAN → LEPS → Users → MAC Address: Optional (only required for profile with whitelist/blacklist).
RADIUS
Configuration settings of the parameters for RADIUS and IEEE 802.1X.
Path of console:
Setup → RADIUS
RADIUS server
Configure the settings for RADIUS server profiles for use with WLAN networks that use 802.1X as the authentication method.
Path of console:
Setup → RADIUS
Parameters | Path | Description |
Name | Setup → RADIUS → RADIUS server | Select a suitable name for the RADIUS server profile here. This internal name is used to reference the RADIUS server profile in further parts of the configuration. |
Port | Setup → RADIUS → RADIUS server | Select here the (UDP) port that will be used to contact the RADIUS server. |
Secret | Setup → RADIUS → RADIUS server | Configure here the secret with which the data traffic between the device and the RADIUS server is encrypted. This secret must also be stored on the RADIUS server. |
Backup | Setup → RADIUS → RADIUS server | Configure a backup profile here which is used if the RADIUS server in the profile configured here is not reachable. |
Server IP address | Setup → RADIUS → RADIUS server | Configure here the hostname or the IP address at which the RADIUS server can be reached. |
Accounting port | Setup → RADIUS → RADIUS server | Select here the port (UDP) that will be used to contact the RADIUS accounting server. |
Accounting IP address | Setup → RADIUS → RADIUS server | Configure here the hostname or the IP address at which the RADIUS accounting server can be reached. |
MAC check
Instead of authenticating a user name via the RADIUS server, this can also be done with a MAC address.
Path of console:
Setup → RADIUS → RADIUS server
Parameters | Path | Description |
fallback dynamic VLAN ID | Setup → RADIUS → RADIUS server | If a RADIUS server does not provide a VLAN ID for a WLAN client, the |
Require Message Authenticator | Setup → RADIUS → RADIUS server | This option can be used to determine whether the presence of a message authenticator in RADIUS messages is mandatory. If this is the case, messages without Message-Authenticator are not processed and rejected. |
Recommendations:
- Setup → RADIUS → RADIUS server → Server IP address: IP address of the RADIUS server (connection destination for authentication).
- Setup → RADIUS → RADIUS server → Port: 1812 (standard port for RADIUS authentication).
- Setup → RADIUS → RADIUS server → Secret: Use a strong and shared secret (encrypts the communication between the access point and RADIUS server).
- Setup → RADIUS → RADIUS server → Backup: optional backup profile (ensures authentication in case the main server fails).
- Setup → RADIUS → RADIUS server → Accounting IP address: IP address of the RADIUS accounting server for use logging.
- Setup → RADIUS → RADIUS server → Accounting port: 1813 (standard port for accounting)
- Setup → RADIUS → RADIUS server → Require-Message-Authenticator: Yes (This increases security because only valid RADIUS messages are accepted).
LAN supplier
Here you will find the settings for the 802.1X-Supplicant functionality to authenticate the device on the LAN side to an 802.1X secured switch infrastructure.
Path of console:
Setup → RADIUS
Parameters | Path | Description |
Interface name | Setup → RADIUS → LAN supplier | The name of the LAN interface. Currently, there is only the INTRANET interface, so it cannot be changed. |
Method | Setup → RADIUS → LAN supplier | The EAP method to use to log on to the 802.1X infrastructure. |
User name | Setup → RADIUS → LAN supplier | The user name to use to log on to the 802.1X infrastructure. |
Password | Setup → RADIUS → LAN supplier | The password to use to log on to the 802.1X infrastructure. |
Recommendations:
- Setup → RADIUS → LAN Supplicant → Method: PEAP/MSCHAPv2 (most secure authentication method for your LAN supplier).
- Setup → RADIUS → LAN Supplicant → Username: Unique 802.1X user name (for authentication on the switch).
- Setup → RADIUS → LAN-Supplicant → Password: Use a strong password or certificate (secures login to the switch).
WLAN supplier
Here you will find the settings for the 802.1X-Supplicant functionality to authenticate the device on the WLAN side to an 802.1X secured infrastructure.
Path of console:
Setup → RADIUS
Parameters | Path | Description |
Profile name | Setup → RADIUS → WLAN supplier | Use a unique profile name that you specify later in the encryption profile. |
Method | Setup → RADIUS → WLAN supplier | Choose a method that suits your needs. When using TLS, a certificate must be uploaded. |
User name | Setup → RADIUS → WLAN supplier | Enter the RADIUS user name here. When using the "TLS" method, no entry is required here. |
Password | Setup → RADIUS → WLAN supplier | Enter the RADIUS password here. When using the "TLS" method, no entry is required here. |
Certificate | Setup → RADIUS → WLAN supplier | You can automatically accept the RADIUS server certificate or have the uploaded certificate checked. We always recommend uploading a certificate to verify the integrity of the RADIUS server. |
Delete WLAN Supplicant Certificates | Setup → RADIUS → WLAN supplier | This action deletes all existing certificates of the WLAN suppliers. |
Recommendations:
- Setup → RADIUS → WLAN Supplicant → Method: PEAP/MSCHAPv2 (most secure authentication method for the WLAN supplier).
- Setup → RADIUS → WLAN Supplicant → Certificate: Container (check uploaded certificate, ensures the integrity of the RADIUS server).
WLAN management
LCOS LX based access points can be managed by a LANCOM WLAN controller (WLC). As with LCOS-based access points, the CAPWAP protocol is used for this purpose.
Path of console:
Setup
Static WLC configuration
Configures custom WLAN controllers. This may be necessary if a WLC is not found via the local network (e.g. with routed connections) and also the DNS name "WLC-Address" cannot be used to tell the access point the address of the WLC.
Path of console:
Setup → WLAN Management
Parameters | Path | Description |
IP address | Setup → WLAN Management → Static WLC Configuration | Enter the IP address or DNS name of a WLAN controller. |
Port | Setup → WLAN Management → Static WLC Configuration | Configures the port under which an attempt is made to reach a WLC. |
Operating | Setup → WLAN Management | Configures whether an access point actively searches for and can be managed by a WLC. |
Update value before | Setup → WLAN Management | Configures how many days before the expiration date the device certificate is renewed with which the access point authenticates on the WLC. |
Capswap port | Setup → WLAN Management | Configures the port under which an attempt is made to reach a WLC. The default value of 1027 is the default port of the CAPWAP protocol. LANCOM WLCs also use this port as standard. |
Recommendation:
- Setup → WLAN Management → Static WLC Configuration → IP Address: <IP address or DNS name of the WLC> (so that the AP finds the controller reliably, even with routed networks).
- Setup → WLAN Management → Static WLC Configuration → Port: 1027 (standard CAPWAP port, suitable for LANCOM WLC).
- Setup → WLAN Management → Operating: Yes (enables the AP to actively search for and manage the WLC).
- Setup → WLAN Management → Update-Cert-Before: 30 (days before expiration, ensures that certificates are renewed on time).
- Setup → WLAN Management → Capwap Port: 5246 (standard port for CAPWAP communications, provides stable connection to WLC).
L2TP
LCOS LX supports layer 2 tunneling protocol (L2TP) version 3. In the case of L2TPv3, Ethernet traffic (layer 2) is transmitted in a tunnel via UDP. This allows LANs to be connected across network and site boundaries. In particular, it makes sense to couple WLAN traffic on the access point side into an L2TPv3 Ethernet tunnel and to decouple it again at a central concentrator. Without L2TPv3, this always required a WLAN controller that implemented it using CAPWAP layer 3 tunnels. This is now possible with L2TPv3 detached from WLAN controllers so that the WLAN traffic can be transmitted in tunnels and decoupled centrally.
Path of console:
Setup
Endpoints
This table describes the basic settings for configuring an L2TP tunnel.
Path of console:
Setup → L2TP
Parameters | Path | Description |
Tunnel ID | Setup → L2TP → Endpoints | The name of the tunnel endpoint. If an authenticated L2TP tunnel is to be set up between two devices, the tunnel ID and hostname must match in a crossed way. |
IP address | Setup → L2TP → Endpoints | The IP address of the tunnel endpoint. Instead of an IP address (IPv4 or IPv6), an FQDN can also be specified. |
Port | Setup → L2TP → Endpoints | UDP port to be used. |
Host name | Setup → L2TP → Endpoints | The user name for authentication. If an authenticated L2TP tunnel is to be set up between two devices, the tunnel ID and hostname must match in a crossed way. |
Password | Setup → L2TP → Endpoints | The password for authentication. This is also used for concealment during tunnel negotiations, provided the function is activated. |
Auth peer | Setup → L2TP → Endpoints | Specifies whether the remote station is to be authenticated. |
Hide | Setup → L2TP → Endpoints | Specifies whether to obscure the tunnel negotiation using the given password. |
Operating | Setup → L2TP → Endpoints | This L2TP endpoint is active or inactive. |
Recommendation:
- Setup → L2TP → Endpoints → IP address: IP address or FQDN of the tunnel endpoint.
- Setup → L2TP → Endpoints → Port: 1701 (standard UDP port for L2TP).
- Setup → L2TP → Endpoints → Hostname: Username for authentication, must match tunnel ID crossed.
- Setup → L2TP → Endpoints → Password: password for authentication / optional for concealment.
- Setup → L2TP → Endpoints → Auth Peer: Yes (peer must be authenticated).
- Setup → L2TP → Endpoints → Hide: Yes (conceal tunnel negotiation).
- Setup → L2TP → Endpoints → Operating: Yes (activate endpoint).
Ethernet
In this table, you link L2TPv3 endpoints to a WLAN network.
Path of console:
Setup → L2TP
Parameters | Path | Description |
L2TP endpoint | Setup → L2TP → Ethernet | Configure here the name of the L2TP endpoint (2.61.1.1 tunnel ID) configured in the L2TP endpoint table. An Ethernet tunnel session is thus set up via this endpoint. If only connections are to be accepted but not set up by the user, leaving the field blank can cause any sessions to be accepted. |
Remote end | Setup → L2TP → Ethernet | Configure here the name by which the Ethernet tunnel on the opposite side is to be assigned. For each Ethernet tunnel, this name must therefore be the same on the setup and reception side. |
Interface name | Setup → L2TP → Ethernet | The virtual L2TP Ethernet interface to be used for the L2TPv3 session. |
MTU | Setup → L2TP → Ethernet | This setting adjusts the MTU of an L2TP Ethernet tunnel to the specified value, e.g. when connecting the tunnel across networks with a smaller MTU. |
Recommendation:
- Setup → L2TP → Ethernet → L2TP endpoint: <tunnel ID from endpoints table>
- Setup → L2TP → Ethernet → Remote-End: <mutual endpoint name. Must be identical on both sides.
- Setup → L2TP → Ethernet → MTU: 1500 (adapted, e.g. for smaller network MTU)
IP configuration
This menu configures parameters for the IP configuration of the instrument.
Path of console:
Setup
Parameters | Path | Description |
Static parameters | Setup → IP configuration | Settings related to IP and network configuration that come into effect when you want to use static IP addresses. |
Interface name | Setup → IP Configuration → Static Parameters | Enter the name of the interface to which the other settings made here should refer. |
IPv4 gateway | Setup → IP Configuration → Static Parameters | Configure the IPv4 gateway for the referenced interface here. |
IPv6 gateway | Setup → IP Configuration → Static Parameters | Configure the IPv6 gateway for the referenced interface here. |
Primary IPv4 DNS | Setup → IP Configuration → Static Parameters | Configure the primary IPv4 DNS server for the referenced interface here. |
Secondary IPv4 DNS | Setup → IP Configuration → Static Parameters | Configure the secondary IPv4 DNS server for the referenced interface here. |
Primary IPv6 DNS | Setup → IP Configuration → Static Parameters | Configure the primary IPv6 DNS server for the referenced interface here. |
Secondary IPv6 DNS | Setup → IP Configuration → Static Parameters | Configure the secondary IPv6 DNS server for the referenced interface here. |
Recommendations:
- Setup → IP Configuration → Static Parameters → IPv4 gateway: <use internal, trusted IPv4 address of the gateway>
- Setup → IP Configuration → Static Parameters → IPv6 Gateway: <Use internal, trusted IPv6 address of the gateway>
- Setup → IP Configuration → Static Parameters → Primary IPv4 DNS: <use the internal IPv4 address of the DNS server>
- Setup → IP Configuration → Static Parameters → Secondary IPv4 DNS: <Use the internal IPv4 address of the secondary DNS server for redundancy>
- Setup → IP Configuration → Static Parameters → Primary IPv6 DNS: <use the internal IPv6 address of the DNS server>
- Setup → IP Configuration → Static Parameters → Secondary IPv6 DNS: <Use the internal IPv6 address of the secondary DNS server for redundancy>
LAN interfaces
Define basic configuration options for the instrument's own IP settings and network access.
Path of console:
Setup → IP configuration
Parameters | Path | Description |
Interface name | Setup → IP Configuration → LAN Interfaces | Enter a name for the interface. This name is used to reference the interface configuration in further parts of the configuration. |
VLAN ID | Setup → IP Configuration → LAN Interfaces | Set here a VLAN ID for which the interface should be active and accessible. |
IPv4 address source | Setup → IP Configuration → LAN Interfaces | Select here where the IPv4 address of the interface is to be obtained from. |
IPv6 address source | Setup → IP Configuration → LAN Interfaces | Select here where the IPv6 address of the interface is to be obtained from. |
Static IPv4 address | Setup → IP Configuration → LAN Interfaces | Configure here the IP address which is used if the IPv4 address source is set to static. Add the subnet mask in CIDR. notation (e.g. "/24"). |
Static IPv6 address | Setup → IP Configuration → LAN Interfaces | Configure here the IP address which is used if the IPv6 address source is set to static. Add the subnet mask in CIDR. notation (e.g. "/64"). |
Recommendations:
- Setup → IP Configuration → LAN Interfaces → VLAN ID: Separate management or client VLAN, e.g. 10 for management, 20 for WLAN
- Setup → IP configuration → LAN interfaces → IPv4 address source: static (only if fixed IPs are required; otherwise DHCP)
- Setup → IP configuration → LAN interfaces → IPv6 address source: static (or router advertisement if network dynamically distributes IPv6)
- Setup → IP Configuration → LAN Interfaces → Static IPv4 address: <static IPv4 address with CIDR., e.g. 192.168.10.5/24>
- Setup → IP Configuration → LAN Interfaces → Static IPv6 address: <static IPv6 address with CIDR., e.g. fd00:10::5/64>
LMC
Settings for configuring and monitoring your device by the LANCOM Management Cloud (LMC).
Path of console:
Setup
Parameters | Path | Description |
Operating | Setup → LMC | Determine whether the device is to be managed via the LMC. |
Proxy | Setup → LMC | If the connection from the device to the LMC is to be established via an HTTP proxy server, this can be configured here. As soon as a proxy URL is entered, the LMC connection is always entered via the proxy server. |
URL | Setup → LMC → Proxy | If the connection from the device to the LMC is to be established via an HTTP proxy server, this can be configured here. As soon as a proxy URL is entered, the LMC connection is always entered via the proxy server. |
User name | Setup → LMC→ Proxy | User name for use with an HTTP proxy server. |
Password | Setup → LMC→ Proxy | Password for the user to use with an HTTP proxy server. |
tunnel | Setup → LMC→ Proxy | If a proxy URL is specified and this switch is activated, a transparent tunnel is used via the proxy server using the HTTP CONNECT method. The proxy server must support this. If the switch is not activated, individual HTTP requests are forwarded via the proxy. |
Delete certificate | Setup → LMC | This action deletes the LMC certificate. |
Recommendations:
- Setup → LMC → Operating: No (Only activate if device management via LMC is required).
- Setup → LMC→ Proxy → URL: Enter only if proxy is needed, e.g. https://proxy.example.local:8080.
- Setup → LMC→ Proxy → Username: Username for proxy access if required.
- Setup → LMC→ Proxy → Password: Secure password for proxy, if required.
- Setup → LMC→ Proxy → Tunnel: Yes (use HTTP CONNECT tunnel if proxy is supported, for secure connection)
- Setup → LMC → Delete-Certificate: Use only when changing or clearing certificates.
Automatic firmware update
The LANCOM Auto updater allows automatic updating of LANCOM devices in the field without any further user intervention (unattended). On request, LANCOM devices can search for new software updates, download them and load them without user interaction. You can choose whether you want to automatically install security updates, release updates or all updates.
If automatic updates are not to be performed, the feature can also be used to check for new updates. The LANCOM Auto updater contacts the LANCOM update server for update checking and firmware download. Contact is made via HTTPS.
When contacting, the server is validated using the TLS certificates already stored in the LANCOM device. In addition, firmware files for current LANCOM devices are signed. The LANCOM Auto Updater validates this signature before loading firmware.
Path of console:
Setup
Parameters | Path | Description |
auto mode | Setup → Automatic Firmware Update | Set the operating mode of the LANCOM auto updater here. |
check-firmware-now | Setup → Automatic Firmware Update | This command causes the instrument to check whether a newer firmware is present on the LANCOM update server. |
update-firmware-now | Setup → Automatic Firmware Update | This command causes the instrument to download and install the latest firmware from the LANCOM update server. |
Cancel current action | Setup → Automatic Firmware Update | This command causes the device to cancel the current running action of the auto updater. This applies to actions that have been started manually as well as to actions that have been carried out planned. |
Reset updater config | Setup → Automatic Firmware Update | This command resets the boot-persistent configuration files related to the Auto Updater. This includes the local blacklist containing firmware versions with which an automatic update has failed. |
Base URL | Setup → Automatic Firmware Update | Specifies the URL of the server that provides the current firmware versions. |
Check interval | Setup → Automatic Firmware Update | The Auto updater determines a random time of day or week on the first start when the check is performed. The actual update is then to be performed in the next period between 2:00 a.m. and 4:00 a.m. (default). |
Version policy | Setup → Automatic Firmware Update | Set the version policy of the LANCOM Auto updater here. It controls which firmware versions are offered to a device for update. |
Recommendations:
- Setup → Automatic Firmware Update → Mode: Check (always use current firmware version)
- Setup → Automatic Firmware Update → Cancel-Current-Action: If necessary, cancel ongoing actions.
- Setup → Automatic Firmware Update → Check Interval: Daily (shortest time interval)
- Setup → Automatic Firmware Update → Version Policy: security-updates-only (only security-relevant updates)
- Setup → Automatic Firmware Update → Reset-Updater-Config: Use only if there are errors or configuration errors.
