Search Discussions:
Advanced Search...
Welcome to Nokia Support Discussions! Here you can share advice and tips with thousands of other Nokia users around the world in English. Many Nokia employees also follow and participate in the discussions, see our guidelines for more information. Everyone can search and read the discussions, but to post your own question or reply to others, simply sign in with your Nokia account. If this is your first time here, you can choose an alias to represent you. And if you don't have a Nokia account yet, please register.
Reply

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEA...

Advisor
Posts: 11
Accepted Solution

E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

Hi all,
I am focusing problems setting up the phone to our company WLAN.
 
Error msg: WLAN EAP-PEAP authentification failed.
 
I need:
 
network key:
WPA
TKIP (where do I set this data encryption on my phone?????)
 
authentication:
EAP-PEAP with authentication method:
EAP-MSCHAPv2
 
 
What I did - (orig. for german):
1.      menu/ctrl.panel/settings/Connection
2.      new access point (Internet, Intranet)
3.      Zedit new access point
4.      connection name: something
5.      Data bearer: Wireless LAN
6.      WLAN/Net name: "our WLAN network name"
7.      Net status: public
8.      WLAN-Net mode: Infrastructur
9.      WLAN-Secrity mode: WPA/WPA2
10.  WLAN-Sec settings -> change
 
10a.      WPA/WPA2: EAP
10b.      EAP Plug-In settings: change
10b.i.      EAP-PEAP select -> edit
10.b.i.1.      Personal certificate: not defined
10.b.i.2.      Authority certificate: not defined
10.b.i.3.      User name in use: from certificate
10.b.i.4.      User name: empty
10.b.i.5.   Realm in use: from cert.
10.b.i.6.   Realm: emtpy
10.b.i.7.   TLS privacy: Off
10.b.i.8.    Allow PEAPvn: only v1 and v2
10.b.i.9.      EAP-MSCHAPv2 select and edit:
10.b.i.9.a.      user name: -the correct user name- (hint: here the first letter is always UPPERCASE - kind of strange!!!)
10.b.i.9.b.      Promp pwd: no
10.b.i.9.c.      Password: -the correct password
Christian Haase
Please use plain text.
Sage
Posts: 134

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

[ Edited ]

amschaase wrote:
Hi all,
I am focusing problems setting up the phone to our company WLAN.
 
Error msg: WLAN EAP-PEAP authentification failed.
 
I need:
 
network key:
WPA
TKIP (where do I set this data encryption on my phone?????)
 
authentication:
EAP-PEAP with authentication method:
EAP-MSCHAPv2
 
 
What I did - (orig. for german):
1.      menu/ctrl.panel/settings/Connection
2.      new access point (Internet, Intranet)
3.      Zedit new access point
4.      connection name: something
5.      Data bearer: Wireless LAN
6.      WLAN/Net name: "our WLAN network name"
7.      Net status: public
8.      WLAN-Net mode: Infrastructur
9.      WLAN-Secrity mode: WPA/WPA2
10.  WLAN-Sec settings -> change
 
10a.      WPA/WPA2: EAP
10b.      EAP Plug-In settings: change
10b.i.      EAP-PEAP select -> edit
10.b.i.1.      Personal certificate: not defined
10.b.i.2.      Authority certificate: not defined
10.b.i.3.      User name in use: from certificate
10.b.i.4.      User name: empty
10.b.i.5.   Realm in use: from cert.
10.b.i.6.   Realm: emtpy
10.b.i.7.   TLS privacy: Off
10.b.i.8.    Allow PEAPvn: only v1 and v2
10.b.i.9.      EAP-MSCHAPv2 select and edit:
10.b.i.9.a.      user name: -the correct user name- (hint: here the first letter is always UPPERCASE - kind of strange!!!)
10.b.i.9.b.      Promp pwd: no
10.b.i.9.c.      Password: -the correct password

Hi Christian,

 

You don't need to worry about selecting the TKIP encryption since when phone is configured to utilize WPA/WPA2 security mode and user has NOT enabled the "WPA2 Only" setting (which prevent connections with TKIP allowing only connectiions with AES encryption) phone will automatically support both TKIP and AES encryption methods. Meaning that your configuration should be OK from WPA mode and encryption point of view regardless of which WPA version and encryption method (TKIP or AES) your WLAN network is configured to utilize.

 

It seems that your configuration mentioned above is at least missing the mandatory Authority Certificate from PEAP settings. A successful PEAP authentication requires that your phone must know what is the trusted Authority Certificate (CA root certificate) that phone should trust while phone authenticates validity of the server certificate during the PEAP authentication. I.e. during the authentication process PEAP authentication server presents it's own server certificate and phone then verifies that this particulat server certificate has been correctly signed by the trusted Certificate Authority. So server certificate (on the PEAP authentication server) must be signed by the Authority Certificate that has been defined on the phone's PEAP settings, otherwise phone will not trust this authentication server to be valid and phone aborts the authentication process since this server could potentially be a hostile attacker setting up fake WLAN access point with PEAP server trying to gain access to actual user auhtentication credentials i.e. MSCHAPv2 username and password in this case.

 

You might want to ask your WLAN network administrator if they can provide you the Authority Certificate your networks PKI certificate infrastructure is based on. Then you can install the proper CA certificate on your E75 and define it as a Authority Certificate on the phone's PEAP settings.

 

Note that usage of Personal Certificate is optional with EAP-PEAP, EAP-TTLS and EAP-FAST authtication methods so you don't need to ask from your network admin to provide any other certificates than the missing CA root certificate (=Authority Certificate) mentioned above (however EAP-TLS requires always both Personal and Authority certificates to be in place).

 

In case your PEAP authentication is still failing after you have installed and defined the correct Authority Certificate you might try defining a manual PEAP username (typically same as your EAP-MSCHAP username) instead of using the "From certificate" option that tries to read your PEAP username/identity from Personal Certificate which is not present in your setup. Using "From certificate" PEAP username setting without having a Personal certificate will cause phone automatically generate random PEAP username/identity and depending on the authentication server configuration it might accept these kinds of unknown random PEAP usernames or the server might require an actual valid username to be used as an PEAP identity.

 

Message Edited by saataja on 17-Sep-2009 04:31 PM
Please use plain text.
Advisor
Posts: 11

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

you're a genius - many thx.
Christian Haase
Please use plain text.
New Member
Posts: 1

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

I also have similar problem when I set up the connection to the wireless network of my college.

 

Almost the same steps, except the words in red: 

 

 Data bearer: Wireless LAN
6.      WLAN/Net name: "our WLAN network name"
7.      Net status: public
8.      WLAN-Net mode: Infrastructur
9.      WLAN-Secrity mode: WPA/WPA2
10.  WLAN-Sec settings -> change
 
10a.      WPA/WPA2: EAP
10b.      EAP Plug-In settings: change
10b.i.      EAP-PEAP select -> edit
10.b.i.1.      Personal certificate: not defined


10.b.i.2.      Authority certificate: not defined         <-- Thawte Premium

10.b.i.3.      User name in use: from certificate      <-- user defined
10.b.i.4.      User name: empty
10.b.i.5.   Realm in use: from cert.                       <-- user defined
10.b.i.6.   Realm: emtpy


10.b.i.8.    Allow PEAPvn: only v1 and v2
10.b.i.9.      EAP-MSCHAPv2 select and edit:
10.b.i.9.a.      user name: -the correct user name- (hint: here the first letter is always UPPERCASE - kind of strange!!!)
10.b.i.9.b.      Promp pwd: no
10.b.i.9.c.      Password: -the correct password

 

 

I tried to change different certificate also, but I always got the same message:

 

'WLAN EAP-PEAP authentification failed'

 

I also talked to the people in IT service, they told me that the Thawte Premium certificate will request the same username and password as the novel system in our college.

I did used the correct username and password.

Please use plain text.
Sage
Posts: 134

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

[ Edited ]

To zhengruilin, 

 

I think there's no reason to try changing the Certificate Authority certificate assuming that you have been specifically instructed by the IT admin to use Thawte Premium Server CA.

 

If you set your PEAP username to "user defined" but leave the username field empty (I'm referring to your config at steps 10.b.i.3 and 10.b.i.4) then your phone will automatically generate a random string to be used as an PEAP username (i.e. PEAP / Radius identity) when phone starts the authentication process towards the authentication server.

 

Depending on the authentication server has been configured, server might accept this type of random PEAP username / identity. However sometimes server might actually be configured so that it accepts only valid known usernames (like your actual username used i.e. same as your EAP-MSCHAPv2 username). Server might also be configured to accept only certain generic predefined PEAP username string like "anonymous" or "anonymous@your.domain" instead of allowing usage of randomly generated ascii characters as an PEAP username/identity. This all depends on the server config so it's difficult to guess what would be the correct format of the PEAP username in your case.

 

You could try to find out from your IT administrator what their authentication server expects to be used as an "outer" PEAP username (Radius username / identity from the server's point of view) or you could simply try to use some options mentioned above as an PEAP username i.e. populate PEAP username with the same username you have put in to the EAP-MSCHAPv2 or try using "anonymous".

 

Message Edited by saataja on 12-Nov-2009 07:26 AM
Please use plain text.
Advisor
Posts: 12

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

Many thanks saataja! 

 

P.S. According to your instructions I've add my WLAN network manually. At first it didn't work even I added  the correct Authority Certificate. I also setup same username under PEAP username (same as I have under EAP-MSCHAP username). I was using DOMAIN\username way of writing username. After I changed this to only username it started to work. 

 

Regards

Toni

Please use plain text.
Contributor
aeorcr
Posts: 8

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

Hi i from Costa Rica and im trying to conect to my university WIFI. Im using the same configuration as told here and my username consist on numbers so cant be wrong because of upper or lower cases.

 

But my connection dont work, on my laptop i have to uncheck the valid server box. On the phone i cant find a valid certificate, everyone i have tried led me to invalid EAP PEAP authentification or WLAN not find.

 

Is there a way to retrieve this certificate from my laptop with windows 7 or using linux or MAC?? I do really want to connect to my university wifi.

 

BTW i`ve already talk to the IT but they told me that nokias cant be configured and that they cant give me a certificate cause theres no one needed.

Please use plain text.
Contributor
aeorcr
Posts: 8

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

Forget to say im using nokia 5530

 

Please use plain text.
Mobile Guru
hadimassa
Posts: 4,790

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

 


aeorcr wrote:

Hi i from Costa Rica and im trying to conect to my university WIFI. Im using the same configuration as told here and my username consist on numbers so cant be wrong because of upper or lower cases.

 

But my connection dont work, on my laptop i have to uncheck the valid server box. On the phone i cant find a valid certificate, everyone i have tried led me to invalid EAP PEAP authentification or WLAN not find.

 

Is there a way to retrieve this certificate from my laptop with windows 7 or using linux or MAC?? I do really want to connect to my university wifi.

 

BTW i`ve already talk to the IT but they told me that nokias cant be configured and that they cant give me a certificate cause theres no one needed.


Give us the url of your Uni.

 

‡Thank you for hitting the Blue/Green Star button‡

N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009
Please use plain text.
Contributor
aeorcr
Posts: 8

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

My Uni is www.tec.cr but they dont provide the settings online, local only on their labs.

 

Anyway i know it its PEAP, MSCHAPv2 and uncheck the validate certificate on windows. Then the connection should ask for username and pasword and done the laptop is online. But not my phone :smileysad:

Please use plain text.
Mobile Guru
hadimassa
Posts: 4,790

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

Raise PEAP priority and uncheck all others. Use one of the authority certificates, most likely Thawte Server or Premium. Raise MSCHAPv2 prority and uncheck all others.

‡Thank you for hitting the Blue/Green Star button‡

N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009
Please use plain text.
Contributor
Posts: 8

Re: E75 Troubles with WLAN set up (WAP, TKIP, PEAP, EAP-MSCHAPv2)

I have the same problem. my company's wireless network requires me to enter a user name and password. my laptop and ipad2 connected and promoted me to enter my user name and password with no issues and they are working fine. my nokia 701 on the other hand does not prompt for user name and password! I managed to put my user name and password in the configuration of for

EAP ->EAP-PEAP->EAP-MSCHAPV2

but still it is not authenticating. by the way my company does not use any certificate authenticating authority this is what i was told by IT admins. and this is what i see in the properties of my wifi in my laptop where I unchecked "validate server certificate"

is there a way for nokia 701 to connect to such network
thank you
Please use plain text.