×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I have been try to get the N95 to connect to my corporate wireless network. I think that everything is configured properly. However, each time I go to web browsing, I get "wlan: eap-peap authentication failed"

    We did a trace on the network side to see successful authentication when WPA/WPA2 is selected. When we select 802.1X we however the phone showed only authentication failed.

    The configuration is EAP-PEAP/MSCHAPv2, I have the username entered and prompt password selected - I have not seen the password prompt appear.

    WLAN Security Settings:
    • WPA/WPA2 - EAP


    EAP Plugin Settings

    EAP-PEAP
    • Personal Certificate - not defined
    • Authority Certificate - not defined
    • User Name - user defined
    • Realm In Use -user defined

    Realm
    • Allow PEAPv0 - Yes
    • Allow PEAPv1 - Yes
    • Allow PEAPv2 - No

    EAP-MSCHAPv2
    • User Name - ****
    • Prompt Password - Yes
    • Password - ****

  2. #2
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    The problem is the missing "Authority Certificate – not defined". PEAP needs always a certificate to authenticate the server and the corresponding keys must be also present in the server. Our UI configuration tool should show a configuration warning, which it does not do today - will be fixed in the future.

  3. #3
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Is there a way to disable server cert validation for eap-peap wlan authentication?

  4. #4
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    There are no configuration to disable server certificate validation.

    Anyway, why would you want to use this kind of setup? This makes the scheme insecure since there is no authentication in the PEAP tunnel establishment. Then, if you run e.g. EAP-MSCHAPv2, which is vulnerable to dictionary attacks if run alone, inside that unauthenticated tunnel you may accidently reveal you EAP-MSCHAPv2 messages to some other party than the one you originally wanted to authenticate with (i.e. you don't know to whom you are talking. You can use some other authentication method if you don't need a protected PEAP tunnel.

    Certificates can be installed via Device Management (DM).
    Also, an end-user can e.g. put a certificate to his memory card in correct format using PC suite. Opening the cert from the phone's UI will import it to the right place. If you are importing a CA cert it should be a self-signed root certificate. Sub-CA certs for which the full cert chain is not in the phone may not work (i.e. the validation fails).

    S60 supports importing the following cert formats:
    CA: DER (filename extension: .der)
    User: PKCS#12 (filename extension: .pfx)

  5. #5
    Registered User
    Join Date
    Apr 2008
    Posts
    1

    Angry Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    "The problem is the missing "Authority Certificate – not defined". PEAP needs always a certificate to authenticate the server and the corresponding keys must be also present in the server."

    If this is the case, how come on a Vista OS you can uncheck the 'Validate server certificate' for a PEAP setup and it works just fine? I have exactly the same setup as the early poster describes (with the exception of username and realms, obviously) and I cannot help but wonder if this isn't an oversight by Nokia. This should be possible and I believe this is a defect in the Nokia OS. I can connect at home using WEP to a wireless LAN it is just this particular corporate WLAN setup that does not work with the settings described. Please advise us of why this is the case as I don't believe that the problem is the missing "Authority Certificate – not defined" for the reasons described above. If Vista can do this without a certificate then so should the Nokia N95.

  6. #6
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Thanks for your feedback. Indeed, Vista seems then to support PEAP setup without server certificates.

    If you use PEAP without server certificates, then one could be concerned that this setup allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle attacks.

    I would use open network with Nokia devices if you are not too concerned with WLAN security.
    Last edited by nly; 2008-04-17 at 22:06.
    [B]Forum Nokia Americas[/B]
    Forum Nokia provides a wealth of resources to mobile developers. To be informed about the latest on mobile tools, devices and technologies, register [B][URL="http://www.forum.nokia.com/main/registration/registration.html"]here[/URL][/B]

  7. #7
    Registered User
    Join Date
    Apr 2008
    Posts
    2

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I have E90 and have the same problem. Nokia should solve this problem. It is not a security problem. It is nokia's software problem.

    Vista and XP can uncheck the 'Validate Server Certificate' for a PEAP.

  8. #8
    Nokia Developer Expert
    Join Date
    Dec 2006
    Location
    Mountain View, CA
    Posts
    197

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Here is some useful information from a US national Vulnerability web site about the risk when using PEAP without server certificates.
    [B]Forum Nokia Americas[/B]
    Forum Nokia provides a wealth of resources to mobile developers. To be informed about the latest on mobile tools, devices and technologies, register [B][URL="http://www.forum.nokia.com/main/registration/registration.html"]here[/URL][/B]

  9. #9
    Registered User
    Join Date
    Apr 2008
    Posts
    2

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I work in a company employing more than 20,000 employees. Using PEAP without server certificates is the policy of my company. It cannot be changed just because Nokia does not support it. It can be unsafe, but Nokia should solve this problem just like HP, Vista or XP. For example software on HP iPAQ 214 can do this. Microsoft and HP can also manage. Because of this problem, most of my friends do not prefer Nokia.
    Thanks for the information you have supplied.

  10. #10
    Registered User
    Join Date
    Apr 2008
    Posts
    2

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Could you check from your company's WLAN administrator if this really is the policy?

    The correct way would be that your admin provides you with a root certificate which you can install to your device and configure it for validating the server certificate(s) in PEAP. I would see a "not validating the server certificate" setup as a device misconfiguration unless your admin can come up with a good reason for this. See e.g. this web site for some instructions about the subject: http://articles.techrepublic.com.com...5-6148576.html

    Specifically in PEAP/EAP-MSCHAPv2, if you do not validate the server certificate you are basically giving away your MSCHAPv2 username/password pair, which an attacker setting up a rogue WLAN access point can possibly steal. After that, he can freely enter your corporate WLAN and masquerade as you.

    So, I would say it is very unsafe for your company and yourself as well to use the setup you have been using in your non-Nokia terminals.

    But please, check this from your WLAN admin just in case he/she has some point that I missed.

  11. #11
    Registered User
    Join Date
    Jun 2008
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Hello , Please stop fighting and tell me how could i connect to WLAN. People in my comp in support depart. said there is no cert required.
    Please tell me how could i connect.
    Please also tell me when am i supposed to supply the credentials(uName and pwd) upfront or would the phone prompt for the same

  12. #12
    Registered User
    Join Date
    Jun 2008
    Posts
    1

    Thumbs up Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Okay guyz, after some disappointment and a lot of trial and error, I've finally found a way to connect without a certificate using EAP-PEAP/MSCHAPv2

    In EAP-PEAP edit mode, go to Authority certificate and select
    "Entrust.net Secure Ser..."

    Note: You might find multiple entries for "Entrust.net Secure Se..." - I just selected the first one, and IT WORKED.

    When I tried to connect, I was prompted for a password and upon entering the correct password, low and behold, I was connected!

    Phew... such a relief. Wish Nokia would have informed us about this upfront.

    All the best, and happy browsing.

  13. #13
    Registered User
    Join Date
    Jul 2008
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Hi,

    I found a great presentation: http://www.willhackforsushi.com/pres...ntoniewicz.pdf
    It says "Compares CN of certificate to trusted RADIUS Hostname" and "Validation of RADIUS server based on certificate validation – Trusted issuing authority, matching CN"
    In Windows you can use "Connect to these servers" field in "Validate server certificate" section.
    My question is - Where I can enter hostname of radius server in Nokia E51 or other phone. If this is cannot be done in the phone settings, how (where) can we specify hostname of radius server?
    How client knows where is the radius server - uses IP address from access point configuration? If this is the case then we need to use fqdn instead of IP address in AP configuration or use SANs (subject alternative names) in RADIUS server certificate and include Radius server's IP address as SAN entry (I was able to create such certificate using openssl, but not Microsoft Windows CA). Please comment my thoughts.

    Mazhas

  14. #14
    Registered User
    Join Date
    Aug 2008
    Posts
    1

    Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    I had the same problem until I determined the CA authority. In our case, it was Equifax. I actually just followed the instructions at http://www.it.ubc.ca/internet/wirele...pasymbian.html, except for changing the CA to Equifax. I got the CA name from my network administrator.

    Tog

  15. #15
    Registered User
    Join Date
    Jan 2009
    Posts
    1

    Thumbs up Re: N95 eap-peap authentication failed using EAP-PEAP/MSCHAPv2

    Quote Originally Posted by togtnc View Post
    I had the same problem until I determined the CA authority. In our case, it was Equifax. I actually just followed the instructions at http://www.it.ubc.ca/internet/wirele...pasymbian.html, except for changing the CA to Equifax. I got the CA name from my network administrator.

    Tog
    Thanks a lot for that link......I use S60 on my e51 and those settings worked perfectly for me.....

Page 1 of 2 12 LastLast

Similar Threads

  1. Classic N95 vs US ver. N95
    By qwerty0824 in forum General Development Questions
    Replies: 5
    Last Post: 2007-09-13, 18:09
  2. N95 SIP registration failed
    By FRLinux in forum VoIP
    Replies: 8
    Last Post: 2007-08-21, 20:19
  3. S60 2nd to 3rd/ PlatformSecurity / Capabilities
    By jarkoos in forum Symbian Signed Support, Application Packaging and Distribution and Security
    Replies: 4
    Last Post: 2007-04-14, 14:08
  4. OMA and WPA Enterprise (EAP, PEAP etc)
    By martin_hamilton in forum OMA DM/DS/CP
    Replies: 0
    Last Post: 2006-12-15, 20:35

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •