background image

LANCOM OAP

-

54

-

1 Wireless – LANCOM OAC

-

54

-

1 Wireless

 Chapter 4: Security settings

38

EN

4.1.2

Access control via MAC address

Each network device has an special identification number. This identification
number is the so-called MAC address (

M

edia 

A

ccess 

C

ontrol), which is world-

wide unique per device. 

The MAC address is programmed into the hardware and cannot be changed.
Wireless LAN devices by LANCOM Systems have got a MAC address label on
the casing. 

The access to an infrastructure network can be restricted to known MAC
addresses for certain Wireless LAN devices solely. To do so, Access Control lists
are available within the LANCOM base stations, in which the granted MAC
addresses can be deposited. 

4.1.3

LANCOM Enhanced Passphrase Security

With LEPS (

L

ANCOM 

E

nhanced 

P

assphrase 

S

ecurity) LANCOM Systems has

developed an efficient method which uses the simple configuration of IEEE
802.11i with passphrase and yet which avoids the potential error sources of
passphrase sharing. LEPS uses an additional column in the ACL to assign an
individual passphrase consisting of any 4 to 64 ASCII characters to each MAC
address. The connection to the access point and the subsequent encryption
with IEEE 802.11i or WPA is only possible with the right combination of pass-
phrase and MAC address. 

LEPS can be used locally in the device and can also be centrally managed with
the help of a RADIUS server, and it works with all WLAN client adapters cur-
rently available on the market without modification. Full compatibility to
third-party products is assured as LEPS only involves configuration in the
access point. 

An additional security aspect: LEPS can also be used to secure single point-
to-point connections (P2P) with an individual passphrase. Even if an access
point in a P2P installation is stolen and the passphrase and MAC address
become known, all other WLAN connections secured by LEPS remain protec-
ted, particularly when the ACL is stored on a RADIUS server.

Guest access with LEPS:

 LEPS can also be set up to allow access to

guests. To this end, all users of the internal WLAN network are given
individual passphrases. Guests can make use of their own dedicated
SSID and a global passphrase. To avoid abuse, this global passphrase
can be changed on a regular basis—every few days, for example.

Summary of Contents for OAP-54-1

Page 1: ...om de LANCOM OAP 54 1 Wireless LANCOM OAC 54 1 Wireless LANCOM OAP 54 1 Wireless Bridge Kit LANCOM OAP 54 1 Wireless LANCOM OAC54 1 Wireless Handbuch Manual c o n n e c t i n g y o u r b u s i n e s s...

Page 2: ...LANCOM OAP 54 1 Wireless LANCOM OAC 54 1 Wireless LANCOM OAP 54 1 Wireless Bridge Kit...

Page 3: ...ent at the time of printing Trademarks Windows Windows Vista Windows XP and Microsoft are registered trademarks of Microsoft Corp The LANCOM Systems logo LCOS and the name LANCOM are registered tradem...

Page 4: ...e access point can be securely managed by the LANCOM WLAN Controller Model variants This documentation is intended for LANCOM OAP OAC 54 1 Wireless users The following models are available The LANCOM...

Page 5: ...your product and technical develop ments and also to download our latest software versions User manual and reference manual The documentation of your device consists of the following parts Installatio...

Page 6: ...d you have any queries regarding the topics discussed in this manual or require any further support The area Support will help you with many answers to frequently asked questions FAQs Furthermore the...

Page 7: ...s displays and interfaces 15 2 3 1 LEDs of LANCOM OAP 54 1 Wireless and LANCOM OAC 54 1 Wireless 16 2 3 2 Connectors of LANCOM OAP 54 1 Wireless and LANCOM OAC 54 1 Wireless 17 2 3 3 Mounting and conn...

Page 8: ...nced wireless LAN configuration 45 5 1 WLAN configuration with the wizards in LANconfig 45 5 2 Point to point connections 47 5 2 1 Geometric dimensioning of outdoor wireless network links 48 5 2 2 Ant...

Page 9: ...nas 68 7 2 LANCOM Public Spot Option 69 8 Troubleshooting 71 8 1 No DSL connection is established 71 8 2 DSL data transfer is slow 71 8 3 Unwanted connections under Windows XP 72 9 Appendix 73 9 1 Per...

Page 10: ...cess to the Internet There are obvious advantages to wireless LANs Notebooks and PCs can be installed where they are needed problems with missing connections or structural changes are a thing of the p...

Page 11: ...LANCOM WLAN Controller 1 2 Just what can your LANCOM OAP OAC 54 1 Wireless do The following table provides a comparison of the properties and functions of your device LANCOM OAP 54 1 Wireless LANCOM...

Page 12: ...and 15 5 dBi at 5 GHz Turbo Modus Bandbreitenverdopplung im 2 4 GHz und 5 GHz Bereich Super AG inkl Hardware Compression und Bursting Multi SSID Roaming function Client only 802 11i WPA with hardware...

Page 13: ...s IP Masquerading NAT PAT Quality of Service QoS Power supply Power over Ethernet PoE according to IEEE 802 3af Configuration and firmware Configuration with LANconfig or with web browser additionally...

Page 14: ...54 1 Wireless Chapter 1 Introduction 13 EN Optional hardware extensions AirLancer Extender antennas for increased range Housing IP66 rated housing for deployment in extreme environ ments LANCOM OAP 54...

Page 15: ...anything is missing please contact your retailer or the address stated on the delivery slip of the unit LANCOM OAP 54 1 Wireless LANCOM OAC 54 1 Wireless LANCOM OAP 54 1 Wireless Bridge Kit LANCOM OAP...

Page 16: ...aged mode LANCOM Wireless Routers and LANCOM Access Points can be operated either as self sufficient Access Points with their own configuration Access Point mode or as components in a WLAN infrastruct...

Page 17: ...detected as indi cated by a code blinked in red The power LED blinks alternately in green until a configuration pass word has been set Without a configuration password the configura tion data in the L...

Page 18: ...ennas Diversity antennas are connected to the Aux connector Off No WLAN network defined or WLAN module deactiva ted The WLAN module is not transmitting beacons Green At least one WLAN network is defin...

Page 19: ...a the serial interface the device can either be bootet restarted or reset to the factory settings Unsrew the fitting of the COM Reset interface at the bottom of the device Insert the reset plug to the...

Page 20: ...aterial Mounting arm Connector flange for the Access Point clamp profile Screw the Connector flange for the Access Point with the four M5 x 12 screws as well as with the appropriate washers to the rea...

Page 21: ...cil Screw the mounting arm with the enclosed screws and dowels at the wall Wall mounting Attach the Access Point with the connector flange at the mounting arm Use for this the M8 x 110 screw with the...

Page 22: ...he Access Point Installation of the LANCOM OAP OAC 54 1 Wireless For the installation of the LANCOM OAP OAC 54 1 Wireless proceed as fol lows Earth connection attach the earth cable to the earth screw...

Page 23: ...attached or changed when the device is switched off Mounting or demounting antennas while the device switched on may cause the destruction of the WLAN module LAN The LAN connector is also used to supp...

Page 24: ...reless Pay particular care not to connect the PoE Injector to normal Ethernet devices Ready for operation the Power LED permanently lights up in green as soon as the device receives power The LEDs sub...

Page 25: ...wires must be available by the cabling PoE feeds the power over those four wires which are normally not used for data transfer The PoE supply works only in such network segments in which exclusively...

Page 26: ...p this section if you use your LANCOM OAP OAC 54 1 Wireless exclusively with computers running operating systems other than Windows 2 4 1 Starting the software setup Place the product CD into your dri...

Page 27: ...Windows computer to monitor all of your LANCOM routers and LANCOM access points WLANmonitor enables the observation and surveillance of wireless LAN networks Clients connected to the access points ar...

Page 28: ...e work place computers in the LAN so that they can access the device without pro blem 3 1 What details are necessary The Basic Settings Wizard is used to set the LANCOM OAP OAC 54 1 Wirelesss basic TC...

Page 29: ...dresses automatically Should you still configure manually Fully automatic TCP IP configuration is optional Instead of this you can select manual configuration Make this selection after considering the...

Page 30: ...ation DNS server Enter the IP address of a DNS server to resolve domain names if you have selected Off as the DHCP mode of operation or if another network device is assuming the role of DNS server in...

Page 31: ...e chosen automatic TCP IP configuration please continue with Step If you would like to configure the TCP IP settings manually assign an avai lable address from a suitable address range to the LANCOM C...

Page 32: ...whether a DHCP server and a DNS server are already active in the LAN and whether these two server processes exchange the assignment of IP addresses to symbolic names within the LAN between each other...

Page 33: ...s of the configuration PC Network with DHCP server If a DHCP server is active in the LAN to assign IP addresses an unconfigured LANCOM device will turn off its own DHCP server It will change into DHCP...

Page 34: ...e wizards in WEBconfig Start your web browser e g Internet Explorer Firefox Opera and call the LANCOM there http IP address of the LANCOM or with a name as discribed above If you cannot access an unco...

Page 35: ...del As a result your device may offer different wizards than those shown here If you have chosen automatic TCP IP configuration please continue with Step If you would like to configure the TCP IP sett...

Page 36: ...tected e g with a password In the next window select your DSL provider from the list that is displayed Confirm your choice with Apply If you select My provider is not listed here you must enter the tr...

Page 37: ...e LAN it also uses DHCP to specify its own IP address as that of the default gateway and DNS server The PCs must therefore be configu red so that they automatically obtain their own IP address and the...

Page 38: ...ncryption of data transfer 802 11i WPA or WEP 802 1x EAP optional IPSec over WLAN VPN in combination with external VPN gate way 4 1 1 Closed network Each Wireless LAN according to IEEE 802 11 has its...

Page 39: ...l passphrase consisting of any 4 to 64 ASCII characters to each MAC address The connection to the access point and the subsequent encryption with IEEE 802 11i or WPA is only possible with the right co...

Page 40: ...If the data is of a high security nature you can further improve the encryp tion by additionally authenticating the client with the 802 1x method or activate an additional encryption of the WLAN conn...

Page 41: ...letely unsuitable are for example notebooks wallets and text files in PCs Do not share a key unnecessarily Select a random key Use randomized keys of character and number sequences Keys from the gener...

Page 42: ...menu the setup wizard Control Security Settings and confirm your choice with Next Enter your password in the following windows and select the allowed pro tocols for the configuration access from loca...

Page 43: ...on or that were set with the Security Wizard are sufficient Detailed information about the security settings mentioned here are to be found in the reference manual Have you protected the configuration...

Page 44: ...s to the concealment of local computers while they access the Internet All that is revealed to the Internet is the IP number of the router module of the device The IP address can be fixed or dynami ca...

Page 45: ...this entry are entitled to make use of internal functions Further entries can be used to extend the circle of authorized parties The filter entries can describe individual computers or even entire ne...

Page 46: ...re WLAN inter face and confirm the selection with Continue Make the settings as requested by the wizard and as described as follows Country settings Regulations for the operation of WLAN cards differ...

Page 47: ...activate options such as the bundeling of WLAN packets TX Burst hard ware compression or the use of QoS compliant with 802 11e You also control the settings for the diversity behavior here Logical WL...

Page 48: ...Off The access point only communicates with mobile clients To The access point can communicate with other access points and with mobile clients Exclusive The access point only communicates with other...

Page 49: ...owing basic questions must be answered when designing wireless links What antennas must be used for the desired application How must the antennas be positioned to ensure a problem free connec tion Wha...

Page 50: ...DFS may be stipulated depen ding on the country of use The operator of the wireless LAN system is responsible for ensuring that local regulations are met Positioning the antennas Antennas do not broa...

Page 51: ...tions also lead to a signifi cant reduction in signal reception The radius R of Fresnel zone 1 is calculated with the following formula assu ming that the signal wavelength and the distance between tr...

Page 52: ...he antennas must be high enough to ensure acceptable data transfer rates On the other hand the country specific legal regulations regar ding maximum transmission power should not be exceeded The calcu...

Page 53: ...find further information on the geometrical design of wireless paths and the alignment of antennas with the help of LANCOM soft ware in the LCOSreference manual The current signal quality over a P2P c...

Page 54: ...mouse on Point to point activates the option Adjusting Point to Point WLAN Antennas The Point to point entry is only visible in the LANmonitor if the monitored device has at least one base station de...

Page 55: ...ixed and the second antenna is then adjusted to attain the best signal quality 5 3 Configuration of P2P connections In the configuration of point to point connections entries have to be made for the p...

Page 56: ...ose the physical WLAN settings and open the list of Point to point partners For each of the maximum of six P2P connections enter either the MAC address of the WLAN card at the remote station or enter...

Page 57: ...o attain a significant increase in the security of WLAN point to point connections All of the advantages of 802 11i such as the simple configuration and the powerful encryption with AES are thus avai...

Page 58: ...here will be used to check the Slave s authorization to access When set as P2P Slave the access point transfers this information to register with the remote site Configuration with LANconfig For confi...

Page 59: ...stations approved for the WLAN in the configuration area Wireless LAN on the Stations tab under the button Stations Configuration with WEBconfig or Telnet The access list for the matching of MAC addre...

Page 60: ...urther settings client behavior can be configured from the Client mode tab under the settings for the physical interfaces The configuration of the client settings can also be carried out with the WLAN...

Page 61: ...available networks In the WLAN clients the SSIDs of the networks to which the client stations are to connect must be entered To enter the SSIDs change to the General tab under LANconfig in the Wirele...

Page 62: ...interface from the list of logical WLAN settings Enable encryption and match the encryption method to the settings for the access point In WLAN client operating mode the LANCOM Access Points and LANCO...

Page 63: ...the key is ente red as a combination username password For TLS in addition the EAP TLS device certificate including the private key Under WEBconfig or Telnet the network settings for the logical WLAN...

Page 64: ...red is the authentication data as supplied to you by your Internet provider Internet provider unknown If the list in the Setup Wizard does not contain your provider you will be asked step by step for...

Page 65: ...n the selection window From the command line select Extras Setup Wizard In the selection menu select the Setup Wizard Set up Internet connec tion and confirm the selection with Next In the following w...

Page 66: ...wall and firewall filter that provides effective protection from the Internet for your LAN The core concept of the stateful inspection firewall is that the only data transfers that are con sidered to...

Page 67: ...tions that are to be carried out by the rule on a data packet Finally the new rule is given a name it is activated and you define whe ther further rules are to be considered when the rule acts on a da...

Page 68: ...e station An overview of suitable antennas can be found on the LANCOM web site under www lancom eu For help with calculating the correct antenna setup for external LANCOM AirLancer Extender antennas o...

Page 69: ...n our Polari zation Diversity techpaper 7 1 2 Installation of AirLancer Extender antennas Polarization diversity antennas from LANCOM Systems AirLancer Extender O D80g 2 4 GHz band item no 61221 AirLa...

Page 70: ...t up and maintenance of public hot spots The LANCOM Public Spot Option is the optimal solution for public Wireless LANs Wireless LANs are very suitable for company networks and for wireless With a LAN...

Page 71: ...ization of single users via RADIUS Accounting data online time and data volume can be transferred per user and per session to a central RADIUS server Client PCs need only radio card e g AirLancer TCP...

Page 72: ...ect transfer protocol been selected The transfer protocol is set along with the basic settings The basic setup wiz ard will enter the correct settings for numerous DSL providers automatically Only if...

Page 73: ...ad speed The cause of this problem is what is known as the TCP IP receive window size of the Windows operating system that is set to a value too small for asynchronous connec tions Instructions on how...

Page 74: ...up an antenna system For information about calculating the correct antenna setup please refer to www lancom eu Housing 235 mm x 210 mm x 80 mm W x H x D 3 4kg robust metal housing IP66 water jet resi...

Page 75: ...N interface 10 100Base TX DSL interface 8 pin RJ45 socket corresponding to ISO 8877 EN 60603 7 9 2 2 Configuration interface Outband 8 pin mini DIN socket Connector Pin IAE 1 T 2 T 3 R 4 PoE G 5 PoE G...

Page 76: ...rewith declares that the devices of the type described in this documentation are in agreement with the basic requirements and other relevant regulations of the 1995 5 EC directive The CE declarations...

Page 77: ...4 D Default gateway 36 43 DFS 49 DHCP 12 36 DHCP server 28 30 34 36 DNS 12 DNS server 10 36 Documentation 14 Download 5 DSL provider 31 35 transfer protocol 35 DSL connection problems establishing the...

Page 78: ...oint to point 47 point to point 10 Power over Ethernet 24 Public Spot Option 69 Q QoS 12 Quality of Service 12 R RADIUS 11 Remote configuration 30 35 Routing table 43 S Security Wireless LAN 37 Securi...

Page 79: ...OAP 54 1 Wireless LANCOM OAC 54 1 Wireless Index 78 EN U UDP 43 W WEBconfig 31 password 35 System requirements 15 WEP 11 Wireless LANs Operating modes 9 WLAN Bands scanned 60 Client mode 59 WPA 11 37...

Reviews: