LANCOM Enhanced Passphrase Security (LEPS) allows a set of passphrases to be configured and assigned to individual users, groups or MAC addresses. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually.
This is useful for onboarding devices into the network. For example, a network operator "onboarding" multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. LEPS is configured entirely on the infrastructure side, which assures full compatibility to third-party products.
The security issue presented by global passphrases is fundamentally remedied by LEPS. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should "get lost" or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.
Along with passphrases for users, individual passphrases consisting of any sequence of 8 to 63 ASCII characters can also be assigned to MAC addresses. Authentication at the access point is only possible with the correct combination of passphrase and MAC address.
This combination makes the spoofing of the MAC addresses futile—and LEPS thus shuts out a potential attack on the ACL. If WPA2 is used for encryption, the MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN, because knowledge of both the MAC address and the passphrase is required before encryption can be negotiated.
Compared to LEPS for users, the administrative overhead is slightly higher because the MAC address has to be entered for each device.
