[maemo-users] solved(ish) Re: WPA-Enterprise (PEAP-MSCAPv2) problem with N810/OS2008

From: Joshua Layne joshua at willowisp.net
Date: Wed Dec 19 00:53:55 EET 2007
I finally got some time to work with the RADIUS administrator and
troubleshoot this.  In the end, I was able to get authenticated, but there
are some definite bugs in the wireless connection manager, because I
shouldn't have had this much trouble.

Our network (to briefly re-summarize):
Cisco LWAPs (Light-Weight Access Points) (1131 and 1242)
Cisco Wireless Controllers (WISM blades for Cisco 6500 chassis)
MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) and WPA2(CCMP) with named user authentication.

The setup that worked:
Network Name (SSID): blah
Network is hidden: checked (and true)
Network Mode: Infrastructure
Security Method: WPA with EAP
EAP type: PEAP
Select Certificate: None (we don't use client certs)
EAP method: EAP MSCHAPv2
User name: WHATEVER (doesn't matter as it doesn't seem to actually use this
Password: password
Prompt for password: UNCHECKED
Use Manual user name: checked
Manual user name: username
Require Client Authentication: unchecked

Ok, so this looks pretty normal, except for a few things:
1) if you don't enter the manual username in the advanced properties, it
sends totally garbled credentials which (obviously) fail authentication and
the log shows the EAP type as undetermined:
User qQVHj2kwcIhtnSA6QhmpIm was denied access.
Fully-Qualified-User-Name = OBFUSCATED\qQVHj2kwcIhtnSA6QhmpIm
Called-Station-Identifier = OBFUSCATED
Calling-Station-Identifier = OBFUSCATED
Client-Friendly-Name = OBFUSCATED
Client-IP-Address = OBFUSCATED
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows 
Authentication-Server = <undetermined> 
Policy-Name = <undetermined> 
Authentication-Type = EAP
EAP-Type = <undetermined> 
Reason-Code = 8
Reason = The specified user account does not exist. 
2) if you select prompt for password AND you have manual user name checked
AND you have an entry for the manual username, you will get a password
prompt, which will fail and nothing will even make it to the RADIUS logs...

Basically: as far as I can tell, the username field is not used in the main
configuration tab, only the 'manual user name' is used in the advanced
settings.  Secondarily, the 'prompt for password' option does does not seem
to authenticate properly, as it didn't even show in the RADIUS logs.

So I guess the result is mixed - _I_ have my issue fixed (and hopefully
these steps help somebody else), but this doesn't seem to be proper
behavior on the part of the wireless configuration manager.

On Fri, 30 Nov 2007 08:20:10 -0700, Tim <tim at samoff.com> wrote:
> Joshua,
> Please add your comments/experiences here:
> https://bugs.maemo.org/show_bug.cgi?id=1017

I will add the text of this email to the bug, need to set up an account.


More information about the maemo-users mailing list