LANCOM 1811n Wireless – LANCOM 1821n Wireless
Chapter 8: Security settings
77
EN
8.1.2
802.1x / EAP
The international industry standard IEEE 802.1x and the
E
xtensible
A
uthenti-
cation
P
rotocol (EAP) enable access points to carry out reliable and secure
access checks. The access data can be managed centrally on a RADIUS server
(integrated RADIUS/EAP server in the LANCOM Wireless Router or external
RADIUS/EAP server) and accessed by the access point when required. The
dynamically generated and cryptographically secure key material for 802.11i
(WPA1/2) replaces the manual key management.
The IEEE-802.1x technology has already been fully integrated since Windows
XP. Client software exists for other operating systems. The drivers for the
LANCOM AirLancer wireless cards feature an integrated 802.1x client.
8.1.3
LANCOM Enhanced Passphrase Security
With LEPS (
L
ANCOM
E
nhanced
P
assphrase
S
ecurity), LANCOM Systems has
developed an efficient method that makes use of the simple configuration of
IEEE 802.11i with passphrase, but that avoids the potential error sources in
passphrase distribution. LEPS uses an additional column in the ACL to assign
an individual passphrase consisting of any 4 to 64 ASCII characters to each
MAC address. The connection to the access point and the subsequent encryp-
tion with IEEE 802.11i or WPA is only possible with the right combination of
passphrase and MAC address.
LEPS can be used locally in the device and can also be centrally managed with
the help of a RADIUS server, and it works with all WLAN client adapters cur-
rently available on the market without modification. Full compatibility to
third-party products is assured as LEPS only involves configuration in the
access point.
An additional security aspect: LEPS can also be used to secure single point-
to-point (P2P) connections with an individual passphrase. Even if an access
point in a P2P installation is stolen and the passphrase and MAC address
become known, all other WLAN connections secured by LEPS remain protec-
ted, particularly when the ACL is stored on a RADIUS server.
Guest access with LEPS:
LEPS can also be set up to allow access to
guests. To this end, all users of the internal WLAN network are given
individual passphrases. Guests can make use of their own dedicated
SSID and a global passphrase. To avoid abuse, the this global pass-
phrase can be changed on a regular basis—every few days,
for example.