Secure Wifi Connection Problems

[sundawg#WP]

I'm finally coming back with my update. Clearly there are a few different issues mentioned in this thread, but I want to reply to the PEAP authentication and certificate situation I was having. Yes, I said "was".

My IT finally went around as part of a mobile device security goal for the year (yay for annual goals), and put valid certificates on our PEAP authentication servers. At the same time they rolled out Mobile Iron which is one of the ways enterprises can push apps, policies and certificates to your device (uses the WP8 company apps feature - which is cool to see). The roll out included certificates. And just like that, magically my WPA2-Enterprise-AES with PEAP connection started working.

For PEAP, correct and valid certificates are definitely required. And again, iOS and Android let you skirt the check and is why they work without hassle. I suspect MS thinks they are helping us be more secure, and technically they are. If your IT is asking to send corporate credentials via Wi-Fi, they should really have valid certs. Furthermore, if the valid certs are self-signed you need the matching Root CA installed on your device (which you can do by emailing it to your phone to install it).

I, like many others, also noted that they were able to get their WP7 device connected but not their WP8. My theory is that WP7 wasn't checking for a valid cert (or at least the same level of validity). If this is true, it seems that WP8 is more secure - at least with this connection configuration.

 

[sundawg#WP]

one more thing. For those of you having incorrect password errors. If you are authenticating with a PEAP server, you need to include your domain as part of your name like this: domain\username. For some of you this is obvious, but for others, maybe not.

 

[devize]

one more thing. For those of you having incorrect password errors. If you are authenticating with a PEAP server, you need to include your domain as part of your name like this: domain\username. For some of you this is obvious, but for others, maybe not.

What do you mean by this?

 

[sundawg#WP]

I'm assuming that most folks here connecting to an enterprise/business/school wifi use Microsoft Windows Domains. But PEAP does allow other methods. If you are expected to use a Windows domain, then the domain\username is a typical expectation for MS-CHAPv2 authentication. Here is a useful TechNet article. As far as I can tell, PEAP on our Windows Phones only supports MS-CHAPv2 auth.

Understanding 802.1X authentication for wireless networks: Wireless

Specifically I like the PEAP section that talks about the authentication process. It's phase one that fails if the server cert is not valid and causes the Connection Unsuccessful error. If you are getting password errors, then you've made it to the second phase.

PEAP authentication process

The PEAP authentication process consists of two main phases:

• Server authentication and the creation of a TLS encryption channel. The server identifies itself to a client by providing certificate information to the client. After the client verifies the identity of the server, a master secret is generated. The session keys that are derived from the master secret are then used to create a TLS encryption channel that encrypts all subsequent communication between the server and the wireless client.
• EAP conversation and user and client computer authentication. A complete EAP conversation between the client and the server is encapsulated within the TLS encryption channel. With PEAP, you can use any one of several EAP authentication methods, such as passwords, smart cards, and certificates, to authenticate the user and client computer.

The session keys that are generated during the PEAP authentication process provide keying material for the Wired Equivalent Privacy (WEP) encryption keys that encrypt the data that is sent between wireless clients and wireless access points.
You can use PEAP with any of the following authentication methods for wireless authentication:

• EAP-TLS, which uses certificates for server authentication and either certificates or smart cards for user and client computer authentication.
• EAP-MS-CHAP v2, which uses certificates for server authentication and credentials for user authentication.
• Non-Microsoft EAP authentication methods.

 

[lionel007]

I also had problems connecting to WPA2 enterprise networks, untill a few days ago. I received a few updates for Nokia apps including Network+ After installing these updates I am now able to connect to WPA2 Enterprise networks.

 

[Craig Paterson]

I also had problems connecting to WPA2 enterprise networks, untill a few days ago. I received a few updates for Nokia apps including Network+ After installing these updates I am now able to connect to WPA2 Enterprise networks.

The same for me, except only worked for three days. Now can't connect again.

 

[blnwp]

Suddenly started working since the past week in my Lumia 920. I tested after Portico and didn't work at that time with PEAP. But I tested a week back again and connected without any problems. Not sure whether something was upgraded from the WiFi access point side in my company.

My battery problem got better with always-on WiFi now.

 

[li2012]

I did not try to connect to the company's WiFi for quite a while, tired of doing that. Today I just gave it try, did not expect it would work, but it works now!

 

[anon5644628]

I just got an LGC900 Quantum when I switched carriers. I didn't want to sign a contract for a phone that came out 5 months ago (like the 920) so I brought my own phone. Wifi is a HUGE problem on my phone. I've been planning to sign a contract once the next Nokia WP flagship comes out but if it is as much a problem for WP8 with wifi, I won't go WinPhone. That makes me sad, but the wifi problems I'm having are a dealbreaker.

 

[Philip Burnett]

Re: Secure Wifi Connection Problems windows 8

hi - just got a new windows htc 8x - works fine at home - but unable to connect to the work wifi ....All netgear access points . Wg102, Wg302 .
( In going into the AP - the certificate is out of date, but I can still get in ) -
Been looking at all the threads - and changed the netgear access point to G use only. that doesn't work -
has anybody got any solutions. Just tried my old windows 7 phone and its fine .

bit disappointed ..

 

[Philip Burnett]

still not working on works WIFI - tried to connect to marks & spencers store free wifi - no luck either !!!!!!

but it worked in the O2 store - ?

does anybody know whats happening - great phone apart from the WIFI issues.

 

[mtmt88]

I just got my 521 last week, and spent the weekend customize it and such. wifi works great at home.
coming into work today, i found out that wifi won't connect (no problem with my exisitng HTC Arrive).
Looks like this problem has been reported on the internet 9 months ago and yet no solid solution has been found.
Any ideas guys?!? (i can play around with the phone but I can't plug/unplug, change settings on the router. it's my office.)
BTW, i have not activiated my phone yet with TMobile, so I'm not sure if updating the "Networks +" setting would help.

 

[sundawg#WP]

These stores use PEAP? This thread has primarily be about PEAP - but from time to time I'll find some store WAPs not working properly. I usually chalk this up to poor management by their ad-hoc IT - i.e. using ip lease times that are too long, thus running out of ip's.

 

[sundawg#WP]

mtmt88 - I've tried to explain that many of these cases we have at work are out of our control because MS decided to make our PEAP authentication more secure and not allow expired certs and/or certs that don't reference a CA installed on your phone. A couple things to try. Use a laptop/tablet and connect to your work wifi so you can read the cert. Check for the expiration and the see what the root CA is. If it is exprired, tell your IT to "do the needful". If cert is self-signed (i.e. you don't have the CA installed on your phone), export it from your notebook and email it to your phone so you can install it - reboot and try again.

 

[mtmt88]

mtmt88 - I've tried to explain that many of these cases we have at work are out of our control because MS decided to make our PEAP authentication more secure and not allow expired certs and/or certs that don't reference a CA installed on your phone. A couple things to try. Use a laptop/tablet and connect to your work wifi so you can read the cert. Check for the expiration and the see what the root CA is. If it is exprired, tell your IT to "do the needful". If cert is self-signed (i.e. you don't have the CA installed on your phone), export it from your notebook and email it to your phone so you can install it - reboot and try again.

Thanks Dawg for your reply. Unfortunately your recommended solution (and seems like it's the ONLY solution) is well beyond my limited tech skills.
(I tried to locate the CA of my company, went to MS-DOS prompt, did the whole Regedit, Reged32, certutil.exe, adsiedit.msc.. thing; finally gave up.)
So at the end of the day, I guess Microsoft will not "fix" this problem because in their eyes this is increased security. bummer.

 

[sundawg#WP]

It would be nice if MS would put the same option that iOS and Android have to say skip validation - I suspect there would be less fallout than what they are causing with this measure of security requirements.

If it helps you or anyone else, the way I usually get CA certs is to go to an internal secure website at your work that uses the same CA. Once logged in you can click the padlock by the URL (talking IE here) and select view certificates. This tells you the Issued by and Valid from/to. Take note of the Certification Path and note that you'll effectively need this same path for your phone. I think typically self-signed will have just have two nodes (the parent and the current cert you are viewing), real certs will also have a root. The typical problem is that you don't have the CA. Before you do anything else, go back to the Details tab and do Copy to File.. This will bring up the export wizard. Export to one of the .cer extensions. (don't recall if both DER and Base-64 work - I think they do). Save this to your desktop or something. Go back to the Certification Path and double click on the parent and it will open the details of that cert, export this as well and save it. Then take the couple of .cer files and email them to yourself so you can install them from your phone. Don't forget to reboot your phone too.

I'm not being overly specific, because this is one of those things I have to mess around and figure out I do it so infrequently, that I may be missing something. I have a self-signed cert at home and just went through something similar getting my wife's Surface to work with our exchange server.

But yes...a bypass checkbox would be nice.

 

[bilalafzal]

I also have the same problem. I can connect to my home wifi easily but could not connect to works wifi which requires the. From laptop I have to enter my complete credentials like Domain/Username and Password. But with my lumia 920 I dont get any option to enter Domain/Username and Password. It only asks for password.

 

[Phani Chandra]

Same issue on windows Lumia 720.. EAP-TLS doesnt work.

 

[Fred P]

It would be nice if MS would put the same option that iOS and Android have to say skip validation - I suspect there would be less fallout than what they are causing with this measure of security requirements.

But yes...a bypass checkbox would be nice.

one reason i suppose they enforce this security check is that every time your wp8 phone connects to wifi it syncs your contacts on skydrive using your primary microsoft account, even if all you wanted to do is check the weather or the news. afaik this cant be turned off or prevented, see this

http://forums.windowscentral.com/windows-phone-8/231181-ms-account-exposed-each-connect-public-hotspots-post2022090.html#post2022090

 

[Doug Swallow]

FYI, Microsoft did announce earlier this month that an update "in the first half of 2014" will include Enterprise Wi-Fi including EAP-TLS, among some other Enterprise features:

Making Windows Phone an even better choice for business

It is very frustrating that they are moving so slowly getting some of this in place.