LANCOM 3850 UMTS
Chapter 7: Security settings
63
EN
7.1.2
Access control via MAC address
Each network device has an special identification number. This identification
number is the so-called MAC address (
M
edia
A
ccess
C
ontrol), which is world-
wide unique per device.
The MAC address is programmed into the hardware and cannot be changed.
Wireless LAN devices by LANCOM Systems have got a MAC address label on
the casing.
The access to an infrastructure network can be restricted to known MAC
addresses for certain Wireless LAN devices solely. To do so, Access Control lists
are available within the LANCOM base stations, in which the granted MAC
addresses can be deposited.
This method of access control is not available for ad-hoc networks.
7.1.3
LANCOM Enhanced Passphrase Security
With LEPS (
L
ANCOM
E
nhanced
P
assphrase
S
ecurity) LANCOM Systems has
developed an efficient method which uses the simple configuration of IEEE
802.11i with passphrase and yet which avoids the potential error sources of
passphrase sharing. LEPS uses an additional column in the ACL to assign an
individual passphrase consisting of any 4 to 64 ASCII characters to each MAC
address. The connection to the access point and the subsequent encryption
with IEEE 802.11i or WPA is only possible with the right combination of pass-
phrase and MAC address.
LEPS can be used locally in the device and can also be centrally managed with
the help of a RADIUS server, and it works with all WLAN client adapters cur-
rently available on the market without modification. Full compatibility to
third-party products is assured as LEPS only involves configuration in the
access point.
An additional security aspect: LEPS can also be used to secure single point-
to-point connections (P2P) with an individual passphrase. Even if an access
point in a P2P installation is stolen and the passphrase and MAC address
become known, all other WLAN connections secured by LEPS remain protec-
ted, particularly when the ACL is stored on a RADIUS server.
Guest access with LEPS:
LEPS can also be set up to allow access to
guests. To this end, all users of the internal WLAN network are given
individual passphrases. Guests can make use of their own dedicated
SSID and a global passphrase. To avoid abuse, this global passphrase
can be changed on a regular basis—every few days, for example.