After reading many threads and websites, I am still unable to get a solution to my issue regarding specific Wi-Fi connections on my XV6800 / HTC Titan.
My college uses a WPA Enterprise/TKIP secured network using PEAP/EAP-MSCHAPv2 authentication. It is also required that the server's certificate is not checked against a CA for validity.
My problem is that I have been unable to connect to the network.
Using the settings (Authentication: WPA, Encryption: TKIP), I can choose PEAP for Network Authentication, but hitting Properties says "Cannot log on to the wireless network. This network requires a personal certificate to positively identify you."
It will never let me connect because of that.
Now, on the other hand, I tried SecureW2 TTLS as my authentication, and in SecureW2, I setup a profile with it setup to not check the server certificate, and EAP/PEAP for Authentication method/type respectively. As well as to prompt for user credentials.
With this method, I get nothing... Also, Properties near PEAP also says the same thing about the requirement of a personal certificate.
For reference, I'm using DCD's 3.2.0 ROM with Windows Mobile 6.1.
If anyone has any experience with this, please let me know ASAP.
Thank you.
Related
HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.
Unfortunately there is no simple answer to your question. AFAIK you cant get a fixed ip on gprs, but if your using the right firewall and the right vpn host you dont need to.
I use and supply windows sbs 2003 servers and vpn into them regularly. I have also used citrix to achieve similar results. Might be a bit difficult to persuade your firms it dept to set up something like that for 1 person though.
PM me if youd like any advice.
BillyB said:
HI guys,
Does anyone know how to get a static IP address when using the GPRS connection to the internet. The reason being is because our corporate firewall has to recognise the device through it's IP. Is there any other possible methods for recognising the user?
Also does a VPN work well over GPRS and is there any extra configuration involved on the VPN server
Cheers
Any answers would be great.
Click to expand...
Click to collapse
Hello Billy,
You ask a good question, but the answer isn't simple. Most carriers do have two types of APN (Access Point Name) provision for your SIM: "private" APN (which provides a non-routable IP assignment from behind a NAT, for basic browsing and e-mail functionality) and "public" APN (that provides a routable IP assignment, which is the Minimum Requirement for a more sophisticated connection type, such as VPN, etc). However, both of them are assigned by a DHCP (Dynamic Host Configuration Protocol) Server on a GGSN (Gateway GPRS Support Node) of your particular GPRS network operator. In either case, the end result will obviously be a DYNAMIC IP address on your GPRS terminal (be it a laptop PC, a PDA, or phone)
Some carriers do offer what is called a "dedicated APN" provision, which gives the subscriber their own IP range to choose from (almost like a small subnet), but it is only available to corporate giants like Pepsi (for example).
Now, to sum it up, you must have the proper APN provisioned on your Mobile SIM account (which the provider will normally call something like a "VPN data package" in billing terms). Then, you must obviously establish a GPRS session before you can connect your VPN client (but remember that most basic VPN clients work the best). It is pretty sad to say, but Microsoft Windows-embedded VPN client on Win2k/XP Pro so far has performed the best with no quirks whatsoever. It has to be via PPTP...L2TP has also worked for me..otherwise, the fancier (and more secure) the VPN tunneling protocol, the more its likely to fail. Normally all you need for a basic MS WIndows VPN client config is the Server name (or IP address), the user name, and the password.
Hope this helps,
Let me know how it goes,
Alex
PS. PM me if you have further questions.
VPN and TS Its like pulling teeth
hi all this has got to be the most anoying problem ever. i can connect to O2 vpn access point and hence i can connect to my work vpn server. however as soon as i try to open a TS connection to my desktop (through the vpn) the VPN connection is dropped and i never connect. Can anybody tell me why? if i have a vpn connection to my work server why does TS try to make another connection and bomb out the original. Is there a fix or another way of doing this i.e. does a external IP have to be nat'd to my desktop IP on port 3389? all help greatly appreciated. Ian
I want to make a WiFi connection on my school. But I have to make some setting changes. I have the HTC Trinity with WM6.
I have to satisfy to these settings:
- Wlan network name: tue
- Security mode: 802.1x with dynamic WEP keys
- Authentication protocol: PEAP with MSCHAPv2
- Root certificaat: GTE Cybertrust Global Root
Where do I make these changes?
On your's school router or wifi access point in your school
but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda
Markos said:
but sadly I have to make these changes on my pda
According to school these are the settings specially made for smartphones/pda
Click to expand...
Click to collapse
If it is set on your's router in school, then your PDA or smartphone will see these settings automatically
Otherwise look in start-settings(instellingen)-connections(verbindingen)-wi-fi, there you can add new network connection and apply these settings
But that's the problem.. I can't apply these settings.
When I configure Netwerk Authentication I'll come till "Use IEEE 802.x network acces control"
When I select this and choose for PEAP and I want to change the Properties I get this message:
Warning
Cannot log on to the wireless network. This network requires a personal certificate to positively identify you
Click to expand...
Click to collapse
Where can I make and/or change this personal certification?
been having the same message, anyone knows where to find the certificate?
Hi,
So,
1. You want to connect wirelessly to your School's network, right? .......and that
2. The network settings that you stated in your opening post were given to you by your School Network Administrator, right? ......finally, that
3. Your School Network Administrator had indeed, ACTUALLY given authority to your device (HTC Trinity) in the Access Control List to access the school's network, right?
In that case, he (the School Network Administrator) MUST have assigned an IP Address to your device (or entered its MAC address and configured it as such, inside the router/wireless access point.
Did you make sure that he did actually do so? Ask him to confirm this for you. I'm saying this because if he (the School Network Administrator) hadn't configured your device to have access to your school's network, you'll be wasting your time trying to access it, 'cos as you know, it is a secure network hence, it can not identify your device.
The only way that your device could be identified to access the school's network (never mind the settings provided in your opening post), is only, and only if, it had been configured in the ACL - Access Control List within the router, otherwise every Tom, **** and Harry would simply access the school's network, willy-nilly and wreak all sorts of havoc. See what I mean?
If indeed, he (the School Network Administrator) had given you access to the school's network, just ask him or her to give you the IP Address that he assigned to your device and then enter it in the Wi-Fi configuration of your network in Trinity, as you had been doing and everything should work fine - no more headaches!!
BOTTOM LINE:
If there is no entry for your device in the Access Control List of the school's router/wireless access point, you've got no chance 'cos your device would be refused access at all times because the router/wireless access point does NOT recognise it.
You ask him (the School Network Administrator) to give access to your device - either by using it's MAC address or IP Address), then you'll be laughing 'cos then you'll be able to have access, wirelessly.
I do hope that this gives you pointers to help solve your problem 'cos that's the only solution that I can offer.
kiwi992.
Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?
Absence said:
Sorry to bring alive an old post, but I have been receiving the exact same message requiring a "personal certificate." What I don't understand is that the network prompts me for my username/password - each device is not set up individually. For example, I can take my laptop to school and connect to the network as long as I have my username and password. What is the difference between XP and WM6 in this respect? Why can't I just enter my user/pass on my Wing and connect just like I would with a laptop?
Click to expand...
Click to collapse
This has bugged me for a long time with Windows Mobile 5/6 & 802.1x with PEAP (WEP & WPA/WPA2). You should in theory be able to just use MSCHAPv2 and a Username/Password to authenticate yourself but there seems to be no way of turning off the client checking the servers validity - i.e. having a valid & trusted certificate (you can disable this checking with Windows XP's 802.1x supplicant). So all you should need is the servers public certificate installed on your device.
When I was testing this a while ago I had some sucess but the 'personal certificate' message was a problem. In the end I just enrolled the device with the domains CA and have a personal certificate installed (as well as the CA's certificate which gets installed at the same time).
Enrolling for certificates is much easier now with Windows Mobile 6 and ActiveSync 4.5 since you can enroll the device from ActiveSync on the host PC.
HTH
Andy
Interesting, Andy,
I haven't yet had the chance to test this change yet, but a few searches has turned up a registry key that we can add -
(quoted from somewhere on the internet)
"The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
Have you tried making this change before just registering a certificate? If it doesn't work, do you remember the basic steps for retrieving a certificate from a computer via activesync? If I do transfer a certificate from a laptop, do I need to register the device with the administrator? It seems that everyone from the IT department I've talkd to has no idea what they're talking about.
I'm having a problem authenticating to network shares over wifi. I don't have any problems authenticating to regular workgroup computers but in this instance I'm trying to connect to my server which is a domain controller. It appears wm6 is having problems with the authentication when using domain accounts versus regular local computer ones...
I checked the event viewer and as far as the server is concerned the login was successful but wm6 is saying login failed....
does anyone know how I might be able to connect to these shares?
thanks very much
I have tried searching the forums information about the possibility to use WPA2-Enterprise on Windows Mobile. What i have found is that is not currently implemented in WM6. Does anyone have information if it implemented in WM6.1? Are there any 3:rd party applications that can give you access to a WPN2-Enterprise network?
//Awi
WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.
vdot said:
WPA2 & WPA2-PSK are, but WPA2-Enterprise is not showing in any of the
Wireless LAN setup dialogs in WM6v1.
Click to expand...
Click to collapse
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy
ADB100 said:
There isn't a separate WPA2-Enterprise, it is just the WPA2 Authentication option in the drop-down list. The 'Enterprise' name only comes from the fact that authentication is performed by a centralised RADIUS server that the WiFi access point sends authenticaion requests to. This is in contrast to WPA-PSK and WPA2-PSK that uses a Pre-Shared-Key (PSK) configured locally on the WiFi AP.
With WPA/WPA2 the WiFi clients use 802.1x EAP authentication, however WM5/6 only supports two EAP types - PEAP and EAP-TLS (Smart Card or Certificate). In both cases at least one certificate is required to get it working. I currently use WPA2 with EAP-TLS authentication and AES encryption and it works perfectly.
What issues are you having?
Andy
Click to expand...
Click to collapse
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks
devil_82 said:
hi currently my co is using peap via certificate..however the certificate can be found onli in the laptop. do you think i can export it out from the laptop and import to the pda? thanks
Click to expand...
Click to collapse
All you need on the PDA is the servers public certificate to be in the Root Certificate store, you don't actually need a personal certificate on the PDA (unless you are performing PEAP with user certificates as opposed to PEAP with EAP-MSCHAPv2). To do this you would need to export it from the server or your PC and then import it on your PDA.
There is a post in another thread about disabling the certificate validation with WM5/6 which I haven't tried but looks like it should work and you wouldn't need to import the certificate:
http://forum.xda-developers.com/showthread.php?t=283380
Andy
Hi, I am from Sweden and this is my first post here at XDA.
I got a HTC p3600, it´s upgraded to WM 6.5 and it works awesome.
Now the problem. The WLAN works great at home and other open networks/ if i got the key.
In my school we got WLAN but i can´t connect to it. I find it in the WLAN-list but there it ends. My friend with an Iphone just select the network and then he can insert his username and password, and woila! He´s in.
When i try to connect the server wants a "Certifikat" in swedish. I have tried to do a "Domain enroll" to get it But it always fail.
I think they use Windows Server 2003.
Does anybody understand my bad language? If you wanna know any more, just tell me.
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
FlyBy_1 said:
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
Click to expand...
Click to collapse
Thanks for the answer!
Would it be possible to to install some kind of program from cisco to make it work?
Unfortunately Cisco doesn`t do any winmo clients, they licensed it to other companies. Tried with Root CA yesterday but that didn`t work, maybe we need a valid client cert too. Have to get a personal one from our uni CA the days.
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Thanks for the suggestion. I tried with various clients, none of them worked, securew2 was among them. But maybe it works with fiddyboy.
A page mentioned some older hardware may not cope with mixed wpa modes, maybe P3600 is among them but I really don`t think so...
MAsterokki said:
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Click to expand...
Click to collapse
I am downloading now, will test it tomorrow. Thanks!
Edit: I am not getting it to work. Can someone help me with the settings?
I am sorry, but I don't know what settings to use in your specific case... These settings should be made available by your school or company, most of the time the settings for laptops will give enough information too
which rom do you use to upgrade to windows mobile 6.5
Finally got it to work. We have different WLANs here at our university. I had no luck connecting to our VPN-network so I tried our eduroam WLAN. Eduroam is a roaming network for educational purposes. If You have a login from Your uni/school/whatever You should be able to access the internet from any eduroam network worldwide.
As You said You were asked for a certificate I think Your network relies on the same technologies as ours because I had the same error before. Following explanation:
Our eduroam RADIUS server is certified.
This means our uni gave it a certificate. Our uni was certified by and got a certificate from the DFN (german research net). The DFN was certified by and got a certificate from the german Telekom.
This is called a certificate chain with the DFN as intermediary and Telekom as root certificate authority.
What I had to do is import just the root certificate (from Telekom) to my mobile device by downloading it from our unis webpage, transferring it to the Trinity and just click on it. It confirmed installation and the root ca is listed under the Settings>System>Certificates>Root.
Edit : Normal certs are with *.crt ending. MinMo wants *.cer-files. If You only can get Your hands on *.crt import them into Your PC browser, export from there with DER-encoding and rename *.der to *.cer. That`s it.
Our eduroam RADIUS server authentication is via PEAP.
So I configured the network connection like this:
connects to : internet
authentication : wpa2
data encryption : aes
eap type : PEAP
Connect. When prompted put in Your uni account credentials.
This worked on WinMo 6.1 and 6.5 Without the ValidateServerCert reghack or any other other special program.
WinMo5 failed! Also tried the ValidateServerCert reghack but it`s of no use. Think it`s because WM5 has no wpa2-aes support. If Your RADIUS allows wpa and tkip it may work.
Maybe if this doesn`t work Your server it uses something other than wpa2 or aes. Try different options. Maybe it`s not using PEAP. Ask Your admin but try with a certificate first.
The strange thing is that PEAP was used to avoid handling of certificates; it`s especially there to NOT have to fiddle with them. Anyway, this works here, hope this is the solution for Your location...
you should just buy a protable harddrive or a flash drive and transfer your files onto that and then onto your computer.
Hi, I have same problem, trying to use eduroam on CTU, my Notebook/Laptop WiFi work ok, but I can't connect with TD2 Topaz. I have instaled required certificate, but in options I have no way to set concrete RADIUS server to connect (which is required to be specified in settings on Notebook). Any ideas please? I Also installed securew2, but I can't add Cesnet CA in securew2 options, even it is installed in system (I is present in setings-certificates in WM).
When You have WinMo 6.1 You shouldn`t need securew2 and there is no need to explicitly set RADIUS IP. Have You tried eap-type : PEAP ? What`s the error message if any ?