Search Discussions:
Advanced Search...
Welcome to Nokia Support Discussions! Here you can share advice and tips with thousands of other Nokia users around the world in English. Many Nokia employees also follow and participate in the discussions, see our guidelines for more information. Everyone can search and read the discussions, but to post your own question or reply to others, simply sign in with your Nokia account. If this is your first time here, you can choose an alias to represent you. And if you don't have a Nokia account yet, please register.
Reply

Re: Connecting to WPA/WPA2-Enterprised network

New Member
Posts: 3
Accepted Solution

Connecting to WPA/WPA2-Enterprised network

hi all,

i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:

 

"Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:

  • Name: wpa.mcgill.ca *
  • SSID: wpa.mcgill.ca *
  • Security Type: PEAP
  • User Name: McGill Username
  • User password: McGill Password
  • CA Certificate: Thawte Premium Server CA
  • Inner Link Security: EAP-MS-CHAP V2
  • Token: None Selected
  • Server subject: blank
  • Server San: blank                                                                         "

Help plz

 

Please use plain text.
Professor
Posts: 656

Re: Connecting to WPA/WPA2-Enterprised network

What phone model do you have?
Please use plain text.
New Member
Posts: 3

Re: Connecting to WPA/WPA2-Enterprised network

oops, sry.. forgot to mention that it's an N97
Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network

[ Edited ]

idecline wrote:

hi all,

i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:

 

"Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:

  • Name: wpa.mcgill.ca *
  • SSID: wpa.mcgill.ca *
  • Security Type: PEAP
  • User Name: McGill Username
  • User password: McGill Password
  • CA Certificate: Thawte Premium Server CA
  • Inner Link Security: EAP-MS-CHAP V2
  • Token: None Selected
  • Server subject: blank
  • Server San: blank                                                                         "

Help plz

 


 

Try configuring your N97 with these instructions:

 

 

Since your WLAN network seems to require more advanced PEAP authentication settings you should probably create / edit appriate WLAN connection profile, known as (Internet) Access Point, manually in a following manner:
 

1. Go to Tools -> Settings -> Connection -> Network Destinations

2. Check if your earlier failed attempt to connect has already created an non-funtional IAP named as your WLAN network SSID (look for a entry named wpa.mcgill.ca) under "Internet" destination.

3. If you can see existing IAP named as your WLAN SSID then you can Edit that one with necessary changes. (skip to 7.)

4. If you don't see any existing IAPs that are named like your WLAN network then go to the desired "Destination" (e.g. Internet) and select Options -> Add Connection Method.

5. Assuming you are in the coverage area of your WLAN network you can let phone "Automatically check for connection methods" (i.e. phone scans available WLAN networks) and you should be able to select the correct WLAN network name (wpa.mcgill.ca) from the list. Once you have selected the WLAN network your "Internet" Destination should now have been added with a new Access Point (IAP) that is named "wpa.mcgill.ca". Note that at this point the particular connection method is still incorrectly configured for your purposes (since by defaul it has EAP-SIM & EAP-AKA authentication methods enabled).

6. Now you should manually Edit your newly created wpa.mcgill.ca Internet Access Point with necessary PEAP settings.

7. Configure following WLAN and authentication settings:

  "Connection name" defaults to name of your WLAN network (wpa.mcgill.ca) but you can also change this if you wish

- "Data Bearer" naturally needs to be "Wireless LAN"

- "WLAN network name" should match your WLAN network's name (SSID) exactly (wpa.mcgill.ca)

- "Network status": Public

 

- "WLAN network mode": Infrastructure

- "WLAN Security mode": WPA/WPA2

 => Go to "WLAN security settings"

- Ensure that "WPA/WPA2 mode is set to "EAP"

- Leave "WPA-2 Only mode" to "OFF" unless you are absolutely sure that your WLAN network is configured to stricly pure WPA2 mode (i.e. network might be configured to support both WPA and WPA2 security thus enabling WPA-2 Only mode on the phone will cause all your connection attempts to fail).

 => Go to "EAP plug-in configuration"

- Enable "EAP-PEAP" and make sure that "EAP-SIM" and "EAP-AKA" are disabled (via Options -> Disable)

 => Select "Configure" for EAP-PEAP authentication method

 - Leave "Personal Certificate" to "Not defined"

- Select "Thawte Premium Server CA" to be used as an "Authority certificate"

- Set "User name in use" to "User defined" (since there is no Personal Certificate where it could be read automatically)

- Enter your username (McGill Username) to "Username" field

- Set "Realm in use" to "User defined" and leave following "Realm" field empty.

- Note that in case your username (McGill Username) contains the realm (i.e. format is username@realm ) then you can enter realm part of your ID to "Realm" field and enter only the username part to the "Username" field.

 

- Configure "Allow PEAPv0" to Yes

- Configure both "Allow PEAPv1" and "Allow PEAPv2" to "No"

 
=> Go to "EAP's" tab to configure inner authentication method for the PEAP (use the small arrow pointing right on top of the screen to move between tabs)

- Enable "EAP-MSCHAPv2" authentication method and Disable all other methods (Option -> Enable / Disable)

- Select "Edit" for the EAP-MSCHAPv2

- Enter you username (McGill Username) to "User name" field

- Configure "Prompt password" to No or Yes depending on whether you want your password to be prompted everytime you make an connection or if you prefer saving your password to following "Password" field permanenly so that it won't be prompted during everytime you connect to this WLAN network with PEAP/EAP-MSCHAPv2 authentication.

- If you you selected "No" to password prompting then enter your password (McGill Password) to "Password" field.
 

=> Exit the configuration with "Back" (several times) and you should hopefully be able to connect with this setup.

 

If needed you can also change the priority order of the connection methods (IAP's) within the Internet Destination since your new connection most likely ended up being lowest priority WLAN connection within your Internet destination. This should however not be a problem unless you have some other WLAN networks defined as an IAP and these other WLAN networks are simultaneously available at the location of the wpa.mcgill.ca WLAN network.

 

Hope this helps you to get connected!!

Message Edited by saataja on 17-Sep-2009 05:16 PM
Please use plain text.
New Member
Posts: 3

Re: Connecting to WPA/WPA2-Enterprised network

OMG~! IT WORKED~!!! THANKS A TRILLION~!!!
Please use plain text.
Registered Member
Posts: 1

Re: Connecting to WPA/WPA2-Enterprised network

Hi,

 

I have Nokia 5800 and I tried to follow the same pattern as you mentioned earlier. I go to Texas A & M Univ and still have problems connecting with my uni wpa.Your help will be greatly appreciated. 

 

Thanks,

 meet

Please use plain text.
Registered Member
Posts: 2

Re: Connecting to WPA/WPA2-Enterprised network

I just bought a N97 and I tried to use n97 eap-mschap,

so I want to

EAPs : only enabled EAP-MSCHAPv2

 

But there is no eap-mschapv2, I've got all the others but no enterprise. Since I've the latest firmware,

where can i find eap-mschapv2?

 

Anyone can help??

Please use plain text.
Registered Member
Posts: 2

Re: Connecting to WPA/WPA2-Enterprised network

I have found the tab to EAP-mschapv2

( it is hard to find)

 

thx

Please use plain text.
Contributor
Posts: 6

Re: Connecting to WPA/WPA2-Enterprised network

I am having trouble connecting to the secured network at my university as well. I go to UCSD and use and N97. They told me that Symbian is not supported so they won't help. But to connect to the network i need a certificate. Is there a way I can use a certificate of another format or do I have to make them create a symbian format certificate to access the network.

here is the website they have to help us with downloading the certificate. I don't know if it will help.
Please HELP me!!!!!

Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network

[ Edited ]

afazline wrote:

I am having trouble connecting to the secured network at my university as well. I go to UCSD and use and N97. They told me that Symbian is not supported so they won't help. But to connect to the network i need a certificate. Is there a way I can use a certificate of another format or do I have to make them create a symbian format certificate to access the network.

here is the website they have to help us with downloading the certificate. I don't know if it will help.
Please HELP me!!!!!


 

Looking at these setup instruction from UCSD web site it seems quite possible to get connected to "UCSD-PROTECTED" network also with your N97 even if Symbian phones are not officially supported by the UCSD IT department.

 

You should start by downloading the UCSD CA root certificate file e.g. with your PC. Then copy the certificate file to your N97 (use memory card or copy to internal memory) and install the certificate by opening the "UCSDCA-ROOT.cer" file from your phone's File Manager. Another option is connect your phone to unencrypted WLAN network at the UCSD and downloading this certificate directly to your phone (via phone's web browser).
 
After you have hopefully managed to install the UCSD CA root certificate on your phone you should be able to set up a new WPA2 EAP/EAP-MSCHAPv2 secured access point (add new access point e.g. under Internet Destination) by following the instructions mentioned earlier in this discussion thread.

 

While setting up the phone for PEAP/EAP-MSCHAPv2 according to instructions mentioned in this thread note that you should specifically select the newly installed UCSD CA Root certificate to be used as an "Certificate Authority" instead of using the "Thawte Premium Server CA" which was applicable for some of the other University WLAN networks mentioned above.

Message Edited by saataja on 21-Oct-2009 06:59 AM
Please use plain text.
Contributor
Posts: 5

Re: Connecting to WPA/WPA2-Enterprised network

I tried your suggestion but I am still not able to connect to my uni wireless. The access point is hidden. Whenever I try to connect, I got EAP-PEAP authentication failed. Please HELP

 

 

  • Name: abc *
  • SSID: abc *
  • Network Authentication: WP2
  • Data Encryption: AES
  • Security Type: EAP - PEAP
  • User Name: my username
  • User password:my Password
  • CA Certificate: Nothing
  • Authority Cert: Nothing
  • Inner Link Security: EAP-MS-CHAP V2
Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network


brianho wrote:

I tried your suggestion but I am still not able to connect to my uni wireless. The access point is hidden. Whenever I try to connect, I got EAP-PEAP authentication failed. Please HELP

 

 

  • Name: abc *
  • SSID: abc *
  • Network Authentication: WP2
  • Data Encryption: AES
  • Security Type: EAP - PEAP
  • User Name: my username
  • User password:my Password
  • CA Certificate: Nothing
  • Authority Cert: Nothing
  • Inner Link Security: EAP-MS-CHAP V2

 

Note that you must have a valid CA certificate (i.e. Authority Certificate) installed and defined on the phone settings in order to have any chance of succesful EAP-PEAP authentication. Try contacting your WLAN network administrators if they are able provide more details on which CA certificate has been used for signing the "server certificate" on the particular EAP-PEAP authentication server and install this CA (Authority) root certificate on your phone. Note that correct CA certificate might also be one of the pre-installed certificates on your phone but in any case you need to know exactly which one and then define it as an "Authority Certificate" on phone's PEAP settings.

Please use plain text.
Contributor
Posts: 5

Re: Connecting to WPA/WPA2-Enterprised network

Hi.

 

Additional to my question,

 

1. Should I check or uncheck anything on the CIPHER settings?

2. Should I be using only PEAP v0? and not v1 or v2?

 

Thanks again.

 

Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network


brianho wrote:

Hi.

 

Additional to my question,

 

1. Should I check or uncheck anything on the CIPHER settings?

2. Should I be using only PEAP v0? and not v1 or v2?

 

Thanks again.

 


 

1. Typically you don't need to change "cipher" settings from the default values.

 

2. Ubuntu configuration instructions at the UCSD web site specifically define that PEAPv0 should be selected on the Ubuntu WLAN configuration thus I think you should just enable PEAPv0 on the phone and disable both PEAPv1 and PEAPv2.

 

Note that Ubuntu instructions mention that "Anonymous identity" should be left blank. Most likely this "Anonymous Identity" setting might refer to the outer EAP type identity (PEAP) which in case of N97 is the PEAP username and realm. So in case you are having trouble with the settings mentioned earlier in this thread, where PEAP username was manually set (User defined) to match the actual EAP-MSCHAPv2 username, you might also try using blank PEAP username/realm configuration on phone so that both PEAP username/realm are set to "User defined" but both username and realm input fields are left blank. Note that also in this case you still must define your actual username and password in to the inner EAP type settings (i.e. EAP-MSCHAPv2) which handles the actual user authentication.

Please use plain text.
Contributor
Posts: 5

Re: Connecting to WPA/WPA2-Enterprised network

Hi saataja,

 

I am still not able to connect using my N97 after trying all the setting you suggested and I have contacted my network admin, he mentioned no CERT has been installed or required to connect to the wifi in the uni.

 

I can connect using my laptop with no problem but not my phone. The setting is exactly the same as the link below.

 

Sharjah Wireless: https://www.sharjah.ac.ae/English/Administrative_Services/InformationTechnologyCenter/OurServices/Do...

 

Please help.

Please use plain text.
Contributor
Posts: 5

Re: Connecting to WPA/WPA2-Enterprised network

 

Just to add on, they are using Cisco ACS for the username and password authentication backend.

The Wireless network admin mentioned no certificate has been installed.

 

EAP Configuration
PEAP

Allow EAP-MSCHAPv2

 

MS-CHAP Configuration 

 

Allow MS-CHAP Version 1 Authentication
Allow MS-CHAP Version 2 Authentication

 

PEAP session timeout (minutes): 120

Enable Fast Reconnect: YES

 

EAP-MD5

Allow EAP-MD5


AP EAP request timeout (seconds): 20

 

Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network


brianho wrote:

Hi saataja,

 

I am still not able to connect using my N97 after trying all the setting you suggested and I have contacted my network admin, he mentioned no CERT has been installed or required to connect to the wifi in the uni.

 

I can connect using my laptop with no problem but not my phone. The setting is exactly the same as the link below.

 

Sharjah Wireless: https://www.sharjah.ac.ae/English/Administrative_Services/InformationTechnologyCenter/OurServices/Do...

 

Please help.


 

Above mentioned configuration instructions for Windows XP define that "Validate Server certificate" setting must be disabled (unselected) on the Windows PC's PEAP settings. Problem is that Nokia phones don't allow this type of configuration to be used for PEAP authentication. Instead of blindly trusting the network phone wants to always ensure validity of the PEAP server based on server's "server certificate" which is usually signed by some Certificate Authority root certificate. This CA certificate needs to be installed and configured on the phone (or other client) that wishes to ensure validity of the PEAP server before exposing user's EAP-MSCHAPv2 credentials to the given WLAN network and server.

 

Running PEAP authentication in such a mode where client device does not validate identity of the authentication server is considered generally unsecure since attacker could set up a fake PEAP server and similarly named WLAN network and then start collecting EAP-MSCHAPv2 user authentication credentials from the unsuspecting clients which are attempting to connect to this fake WLAN network. This type of "easier to deploy but unsecure" PEAP configuration seems to be supported at least by the Windows PEAP implementation and perhaps also by some other operating systems, however it is not supported on Nokia phones.

 

To my understanding PEAP authentication server can't be run completely without server certificate. At least all EAP servers (including Cisco ACS) I have seen have all required server certificate to be in place before any of the certificate based EAP authentication methods (PEAP/TLS/TTLS/FAST) can be taken in to use also from the server's perspective.

 

Cisco ACS server does however support an option of using so called "self signed" certificate as it's server certificate, which means that server certificate won't be signed by a proper separate CA root certificate (like e.g. Thawte, Verisign etc.) but instead server certificate is "self signed" by the ACS itself. It might be that in your case the ACS server is actually using a self signed certificate and thus your network admin has claimed that no certificates have been installed. It is true that no certificates are needed on the client side when accessing this type of the network with Windows XP client since it allows PEAP authentication without validating the server certificate, in case of Nokia phone this type of deployment won't work.

 

In case ACS server is configured to run PEAP with self signed certificate it might be possible for you to install the very same server certificate (which server itself is using) on your phone and then define this certificate to be used as an "Authority Certificate" on phone's PEAP settings. It's impossible to say for sure if this would work in your case but in general self signed certificates have been used successfully on Cisco ACS server allowing Nokia S60 phones to authenticate with PEAP/EAP-MSCHAPv2 as long as same self signed certificate has been successfully installed and configured on the phone.

 

So there is a chance of problems due to complexity and variance of different kinds of certificates etc. e.g. like installation of the self signed server certificate on your phone might fail or it still won't allow PEAP authentication to succeed but in case you wan't try it (with some help from your network admin) here are some previously written potentially useful instructions on similar topic: /discussions/board/message?board.id=connectivity&message.id=25990#M25990

Please use plain text.
Contributor
Posts: 6

Re: Connecting to WPA/WPA2-Enterprised network

Thank you sooooooo much. It worked.

 :smileyvery-happy:

Please use plain text.
Contributor
Posts: 5

Re: Connecting to WPA/WPA2-Enterprised network

Hi Saataja,

 

Can you point me to the right direction to download the windows cert as i understand peap need to use cert to authenticate however windows allow peap without cert. So i would like to upload those windows cert so that i can authenticate on my n97.

 

Thanks.

 

Please use plain text.
Sage
Posts: 134

Re: Connecting to WPA/WPA2-Enterprised network


brianho wrote:

Hi Saataja,

 

Can you point me to the right direction to download the windows cert as i understand peap need to use cert to authenticate however windows allow peap without cert. So i would like to upload those windows cert so that i can authenticate on my n97.

 

Thanks.

 


 

Hi brianho, basically all the help and instruction I'm able to provide for your situation is written above in my previous reply to you.

 

Shortly put you need to consult your WLAN network administrator if they can provide you the correct Certificate Authority certificate that you need install on your N97, no one else can provide you this information without knowing what certificate authentication server on the network has been configured to use for PEAP authentication purposes.

 

You mentioned earlier that your network admisnistrator's claimed that no certificates have been used on the system but to my understanding authentication server must always have a server certficate. Server certificate (on the PEAP authentication server) could be self signed or signed by a proper Certificate Authority. Your phone needs to be able to verify validity of the server certificate before it allows PEAP authentication process to complete successfully and in order to do this phone must have the specific Authority Certificate that has been used for signing the "server certificate" installed and configured.

 

Perhaps you should try consulting your network admisnistrators again and try to explain the situation by showing them the explanation written in my previous reply. If the response remains the same that they can not provide you the Certificate Authority certificate (or a copy of the "self signed" authentication server certificate) to be installed on the phone then unfortunately there isn't anything more you can do. Then the fact is that this particular WLAN network has been configured to support only such client devices that allow PEAP authentication to happen without validating the server certificate (like Windows PC's).

Please use plain text.