Jump to content

How to set a wifi network to use a certificate?

Guest mm2ha

By Guest mm2ha
in Tornado / Faraday & Variants - Tornado.MoDaCo.com

 Share

Recommended Posts

Guest mm2ha

Guest mm2ha

Posted
Posted

Hi, after figuring how to install a certificate into my SDA(which took quite some time), I hoped that I will be able to cennect at school to our wifi. However, I still cannot do that, it gives me an error that it need a personal certificate. When I check the security settings->certificates, I can see the certificate in the root folder. My settings for the network are following:

Network Type: Internet

Network Key

Auth: Open

Data Encryption: WEP

The key is provided automatically: Yes

802.1x

Use IEEE 802.1x network access control: Yes

EAP type: Smart Card or certificate

I have the same settings on my computer and then work. But how can I specify which certificate it should be using? Thanks a lot for help!!

Guest DukeFleed

Guest DukeFleed

Posted
Posted

Talk to your Admin, and try to convince him to allow PEAP, it's just as secure

Now if your School doesn't allow that (for any stupid reason they might give you) then you will need to get a certificate (to your computer first) it MUST be exportable, and WITH private keys before you can use it for authentication (among other restrictions)

Peap-EAP-MSCHAPv2 is much faster and lighter on our little devices. And since the server only needs to authenticate your credentials (and not a certificate) it should be also faster and lighter on your server

Your other option is to provision directly (go with this one first), Start, Settings, Connections, Enroll. Then fill in the CA server address/name and your username and password. And you should be good o go

Chances are, everyone who deploys EAP-TLS also enables PEAP just for the heck of it most of the time. But there are still those people who want two factor auth of Smartcards.

The certificate enrollment tool might not be capable of installing a private cert by the way :)

Hope this helps

PS: If your administrator has enabled OID checking or none-exportable user certificates on the server side, there is NO WAY to do this but to get a certificate directly from him

Guest mm2ha

Guest mm2ha

Posted
Posted
Talk to your Admin, and try to convince him to allow PEAP, it's just as secure

Now if your School doesn't allow that (for any stupid reason they might give you) then you will need to get a certificate (to your computer first) it MUST be exportable, and WITH private keys before you can use it for authentication (among other restrictions)

Peap-EAP-MSCHAPv2 is much faster and lighter on our little devices. And since the server only needs to authenticate your credentials (and not a certificate) it should be also faster and lighter on your server

Your other option is to provision directly (go with this one first), Start, Settings, Connections, Enroll. Then fill in the CA server address/name and your username and password. And you should be good o go

Chances are, everyone who deploys EAP-TLS also enables PEAP just for the heck of it most of the time. But there are still those people who want two factor auth of Smartcards.

The certificate enrollment tool might not be capable of installing a private cert by the way  :)

Hope this helps

PS: If your administrator has enabled OID checking or none-exportable user certificates on the server side, there is NO WAY to do this but to get a certificate directly from him

<{POST_SNAPBACK}>

Ok, I am really lost after reading your post. I have the certificate in the .cer format, which I hace installed into the root certificates. the .cer certificate is the same one I am using on the computer to connect to the same network and it was exported and installed from a .p12 certificate.... So I think that I should have the correct certificate on the phone...

What should be the name of the CA server if I want to enroll?

How could I move the certificate from root certificates into personal? Maybe this could solve it.

Could you please explain it to me little bit more? Because I am really confused now:-(... Thanks a lot

  • 2 weeks later...
Guest Jacco2

Guest Jacco2

Posted
Posted
I have the certificate in the .cer format, which I hace installed into the root certificates. the .cer certificate is the same one I am using on the computer to connect to the same network and it was exported and installed from a .p12 certificate.

<{POST_SNAPBACK}>

It looks like your school is using EAP-TLS and has supplied you a PKCS#12 file. You can install that file using my free utility P12imprt.

An alternative is certificate enrollment, as DukeFleed suggests. But I don't know if your SDA has a certificate enrollment tool and if your school supports it.

DukeFleed says the PEAP is more secure than EAP-TLS. I don't agree. I can't imagine that PEAP is faster because both protocols are basically doing TLS. Note also that PEAP is Microsoft proprietary.

Guest mm2ha

Guest mm2ha

Posted
Posted

I have finally installed the certificate, but it still does not seem to work, I really dont know why. I can see the certificates(one personal and one root) when I look under the security->certificates options. However, the network seems like if it did not know which certificate to choose or something.

What is that certificate enrolling? I have never heard about it, could you please explain it to me? Thanks a lot!

It looks like your school is using EAP-TLS and has supplied you a PKCS#12 file. You can install that file using my free utility P12imprt.

An alternative is certificate enrollment, as DukeFleed suggests. But I don't know if your SDA has a certificate enrollment tool and if your school supports it.

DukeFleed says the PEAP is more secure than EAP-TLS. I don't agree. I can't imagine that PEAP is faster because both protocols are basically doing TLS. Note also that PEAP is Microsoft proprietary.

<{POST_SNAPBACK}>

Guest Jacco2

Guest Jacco2

Posted
Posted
I have finally installed the certificate, but it still does not seem to work, I really dont know why. I can see the certificates(one personal and one root) when I look under the security->certificates options. However, the network seems like if it did not know which certificate to choose or something.

What is that certificate enrolling? I have never heard about it, could you please explain it to me? Thanks a lot!

<{POST_SNAPBACK}>

As far as I know, the network sends information to the client what certificate it expects. The client then picks one that fits these conditions. I understand that it is difficult to monitor this negotiaton from the client side. You're probably better off looking at the server side for errors in the logs.

You can find more about certificate enrolling on the webpage I mentioned earlier.

  • 1 month later...
Guest funky_saggi

Guest funky_saggi

Posted
Posted

i have a similiar problem

i have a .cer file which i installed in the phone.

my network supports authenticates wpa and encrypts with tkip

i have a certificate in .cer format which i have installed and my network supports peap and mschap.

i tried adding the details to LEAP but that clearly didnt help. i cant use the enroll cuz i believe u need to be connected to the network to connect to the server and get the certificate. whcih it isnt doing in the first place.

Guest marcdbl

Guest marcdbl

Posted
Posted

The following may work, depends on what the problem really is in your case:

Windows Mobile (for both Smartphones and PocketPCs) requires the PEAP authentication server to identify itself with a trusted certificate.

Windows (XP/2k/2k3) also does this, but has the option to turn this requirement off in the Wireless Network Configuration GUI.

The only way to turn it off in Windows Mobile is with a registry hack. Add the following DWORD, and set the value of it to zero:

HKLM\Comm\EAP\Extension\25\ValidateServerCert

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept