The modern encryption methods WPA and IEEE 802.11i provide data traffic in the WLAN with far improved security from eavesdroppers than the older WEP can. It is very easy to handle a passphrase as a central key; a RADIUS server such as that for 802.1x installations is not required.
However, the use of WPA and IEEE 802.11i still has some weak spots:
- A passphrase applies globally for all WLAN clients
- The passphrase may fall into unauthorized hands if treated carelessly
- The "leaked" passphrase then offers any attacker free access to the wireless network
This means in practice that: Should the passphrase "go missing" or an employee with knowledge of the passphrase leaves the company, then the passphrase in the access point needs to be changed in the interests of security—in every WLAN client, too. As this is not always possible, an improvement would be to have an individual passphrase for each user in the WLAN instead of a global passphrase for all WLAN clients. In the case mentioned above, the situation of an employee leaving the company requires merely his "personal" passphrase to be deleted; all others remain valid and confidential.
With LEPS (LANCOM Enhanced Passphrase Security), LANCOM Systems has developed an efficient method that makes use of the simple configuration of IEEE 802.11i with passphrase, but that avoids the potential security loopholes that come with global passphrases.
LEPS uses an additional column in the ACL (access-control list) to assign an individual passphrase consisting of any 8 to 63 ASCII characters to each MAC address. The connection to the access point and the subsequent encryption with IEEE 802.11i or WPA is only possible with the right combination of passphrase and MAC address.
This combination makes the spoofing of the MAC addresses futile—and LEPS thus shuts out a potential attack on the ACL. If WPA or IEEE 802.11i is used for encryption, the MAC address can indeed be intercepted—but this method never transmits the passphrase over wireless. This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiated.
LEPS can be used both locally in the device and centrally managed with a RADIUS server. LEPS works with all WLAN client adapters available on the market without any modification. Full compatibility to third-party products is assured as LEPS only involves configuration in the access point.