×

Discussion Board

Results 1 to 15 of 21

Hybrid View

  1. #1
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I have been try to get the N95 to connect to my corporate wireless network. I think that everything is configured properly. However, each time I go to web browsing, I get "wlan: eap-peap authentication failed"

    We did a trace on the network side to see successful authentication when WPA/WPA2 is selected. When we select 802.1X we however the phone showed only authentication failed.

    The configuration is EAP-PEAP/MSCHAPv2, I have the username entered and prompt password selected - I have not seen the password prompt appear.

    WLAN Security Settings:
    • WPA/WPA2 - EAP


    EAP Plugin Settings

    EAP-PEAP
    • Personal Certificate - not defined
    • Authority Certificate - not defined
    • User Name - user defined
    • Realm In Use -user defined

    Realm
    • Allow PEAPv0 - Yes
    • Allow PEAPv1 - Yes
    • Allow PEAPv2 - No

    EAP-MSCHAPv2
    • User Name - ****
    • Prompt Password - Yes
    • Password - ****

  2. #2
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    The problem is the missing "Authority Certificate – not defined". PEAP needs always a certificate to authenticate the server and the corresponding keys must be also present in the server. Our UI configuration tool should show a configuration warning, which it does not do today - will be fixed in the future.

  3. #3
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Is there a way to disable server cert validation for eap-peap wlan authentication?

  4. #4
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    There are no configuration to disable server certificate validation.

    Anyway, why would you want to use this kind of setup? This makes the scheme insecure since there is no authentication in the PEAP tunnel establishment. Then, if you run e.g. EAP-MSCHAPv2, which is vulnerable to dictionary attacks if run alone, inside that unauthenticated tunnel you may accidently reveal you EAP-MSCHAPv2 messages to some other party than the one you originally wanted to authenticate with (i.e. you don't know to whom you are talking. You can use some other authentication method if you don't need a protected PEAP tunnel.

    Certificates can be installed via Device Management (DM).
    Also, an end-user can e.g. put a certificate to his memory card in correct format using PC suite. Opening the cert from the phone's UI will import it to the right place. If you are importing a CA cert it should be a self-signed root certificate. Sub-CA certs for which the full cert chain is not in the phone may not work (i.e. the validation fails).

    S60 supports importing the following cert formats:
    CA: DER (filename extension: .der)
    User: PKCS#12 (filename extension: .pfx)

  5. #5
    Registered User
    Join Date
    Apr 2008
    Posts
    1

    Angry Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    "The problem is the missing "Authority Certificate – not defined". PEAP needs always a certificate to authenticate the server and the corresponding keys must be also present in the server."

    If this is the case, how come on a Vista OS you can uncheck the 'Validate server certificate' for a PEAP setup and it works just fine? I have exactly the same setup as the early poster describes (with the exception of username and realms, obviously) and I cannot help but wonder if this isn't an oversight by Nokia. This should be possible and I believe this is a defect in the Nokia OS. I can connect at home using WEP to a wireless LAN it is just this particular corporate WLAN setup that does not work with the settings described. Please advise us of why this is the case as I don't believe that the problem is the missing "Authority Certificate – not defined" for the reasons described above. If Vista can do this without a certificate then so should the Nokia N95.

  6. #6
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Thanks for your feedback. Indeed, Vista seems then to support PEAP setup without server certificates.

    If you use PEAP without server certificates, then one could be concerned that this setup allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle attacks.

    I would use open network with Nokia devices if you are not too concerned with WLAN security.
    Last edited by nly; 2008-04-17 at 22:06.
    [B]Forum Nokia Americas[/B]
    Forum Nokia provides a wealth of resources to mobile developers. To be informed about the latest on mobile tools, devices and technologies, register [B][URL="http://www.forum.nokia.com/main/registration/registration.html"]here[/URL][/B]

  7. #7
    Registered User
    Join Date
    Jun 2011
    Posts
    2

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Hi

    I also have this problem, my university uses EAP-PEAP/MSCHAPv2 with no authentication certificate. Is there still no solution for this? Surely there has to be some third party app that can avoid this or something!!

  8. #8
    Registered User
    Join Date
    Nov 2009
    Posts
    1

    Thumbs up Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I had this problem at work. Nokia doesn't download a self-signed certficate automatiicly as does iphone/windows/etc...
    1) log in a windows machine (using same username/password/domain ) combination as in the PEAP.
    2) Start-> Run-> certmgr.msc
    3) Under "Intermediate Certificates"->Certificates
    4) look for your company certificate, dbl click it, click details, Copy to File, Next (DER), save file
    4) copy it to your nokia
    5) Using File-Mgr within nokia click on the file from (4)
    6) approve it to All (VPN, Internet...)
    7) define the CA from 6 in the Access point PEAP settings instead of none.
    8) you should be able to connect now

  9. #9
    Registered User
    Join Date
    Jun 2008
    Posts
    1

    Thumbs up Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Okay guyz, after some disappointment and a lot of trial and error, I've finally found a way to connect without a certificate using EAP-PEAP/MSCHAPv2

    In EAP-PEAP edit mode, go to Authority certificate and select
    "Entrust.net Secure Ser..."

    Note: You might find multiple entries for "Entrust.net Secure Se..." - I just selected the first one, and IT WORKED.

    When I tried to connect, I was prompted for a password and upon entering the correct password, low and behold, I was connected!

    Phew... such a relief. Wish Nokia would have informed us about this upfront.

    All the best, and happy browsing.

  10. #10
    Registered User
    Join Date
    Jul 2008
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Hi,

    I found a great presentation: http://www.willhackforsushi.com/pres...ntoniewicz.pdf
    It says "Compares CN of certificate to trusted RADIUS Hostname" and "Validation of RADIUS server based on certificate validation – Trusted issuing authority, matching CN"
    In Windows you can use "Connect to these servers" field in "Validate server certificate" section.
    My question is - Where I can enter hostname of radius server in Nokia E51 or other phone. If this is cannot be done in the phone settings, how (where) can we specify hostname of radius server?
    How client knows where is the radius server - uses IP address from access point configuration? If this is the case then we need to use fqdn instead of IP address in AP configuration or use SANs (subject alternative names) in RADIUS server certificate and include Radius server's IP address as SAN entry (I was able to create such certificate using openssl, but not Microsoft Windows CA). Please comment my thoughts.

    Mazhas

  11. #11
    Registered User
    Join Date
    Aug 2008
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I had the same problem until I determined the CA authority. In our case, it was Equifax. I actually just followed the instructions at http://www.it.ubc.ca/internet/wirele...pasymbian.html, except for changing the CA to Equifax. I got the CA name from my network administrator.

    Tog

  12. #12
    Registered User
    Join Date
    Jan 2009
    Posts
    1

    Thumbs up Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Quote Originally Posted by togtnc View Post
    I had the same problem until I determined the CA authority. In our case, it was Equifax. I actually just followed the instructions at http://www.it.ubc.ca/internet/wirele...pasymbian.html, except for changing the CA to Equifax. I got the CA name from my network administrator.

    Tog
    Thanks a lot for that link......I use S60 on my e51 and those settings worked perfectly for me.....

  13. #13
    Regular Contributor
    Join Date
    Jul 2008
    Posts
    416

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Quote Originally Posted by nly View Post
    EAP-PEAP
    • Personal Certificate - not defined
    • Authority Certificate - not defined
    • User Name - user defined
    • Realm In Use -user defined

    Realm
    • Allow PEAPv0 - Yes
    • Allow PEAPv1 - Yes
    • Allow PEAPv2 - No

    EAP-MSCHAPv2
    • User Name - ****
    • Prompt Password - Yes
    • Password - ****
    I'm experiencing the same problem. Did you solve it? A previous post says that there must be set always an AC certificate. Is it correct?

  14. #14
    Registered User
    Join Date
    Dec 2010
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Finally, i encounter the same problem, and it seems that there are still no solutions at all.
    Does any one have idea to solve this problem, except try every installed CA in my phone?

  15. #15
    Regular Contributor
    Join Date
    Jan 2009
    Posts
    224

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Hi

    We are also facing same issue with nokia E51 , C7 and E75. we would like to use EAP-PEAP/MSCHAPv2 without certificate to connect Radius server. Is there any way or workround for this problem?

    Any help is really helpful.
    Thanks
    Kalgi Modi

Similar Threads

  1. Classic N95 vs US ver. N95
    By qwerty0824 in forum General Development Questions
    Replies: 5
    Last Post: 2007-09-13, 18:09
  2. N95 SIP registration failed
    By FRLinux in forum VoIP
    Replies: 8
    Last Post: 2007-08-21, 20:19
  3. S60 2nd to 3rd/ PlatformSecurity / Capabilities
    By jarkoos in forum Symbian Signed Support, Application Packaging and Distribution and Security
    Replies: 4
    Last Post: 2007-04-14, 14:08
  4. OMA and WPA Enterprise (EAP, PEAP etc)
    By martin_hamilton in forum OMA DM/DS/CP
    Replies: 0
    Last Post: 2006-12-15, 20:35

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×