Windows Phone 10 support TTLS-PAP?

[Marox1]

This is my question...if anyone could answear me please. Thanks

 

[Alexander Long]

I don't' really know, but it seems work with EDUROAM and it uses ttls-pap from what I know, so I guess it does.

 

[Marox1]

Without the necessiti of a certificate of the university?

 

[Marox1]

Because in my university (from Spain) they use TTLS config with PAP without a certificate, so I need the option to select PAP authentification also and not only the TTLS parametre. Sorry for my Enlish expression...thank you

 

[xbrtll]

I have not found a way to connect to eduroam (nor to the local university network with TTLS/PAP, for that matter) yet and the data center here says that it is not supported. It would be great if they were wrong about that, but most of what I have read thus far seems to support their statement and the few suggestions otherwise (mostly some certificate stuff) did not work for me.

 

[Alexander Long]

I have no trouble with EDUROAM here, at all the campus and universities that I visited the last couple of months, I am be able to connect to EDUROAM without issues.
And to connect to eduroam , just click the eduroam network when you're at campus, then it will open up for login info, enter the login info normally same as your school email and password. Then click never on the certificate check thing. Click connect. It should work. After the first time configuring at your own school, you should be able to 'roam' between 'edu's.

 

[Marox1]

Yes, but on my wp 8.1 doesn't work in my own university. For these reason I was asking if it works with wp 10.
In my university I have to put these options: User and pass, select TTLS and authentification phase 2: PAP and it doesn't work with wp 8.1, i will try with wp 10 when it will be release.

 

[xbrtll]

Alexander: And you are sure that your institution uses TTLS/PAP for authentication? The process you describe sounds more like PEAP MS-CHAP v2 as you cannot choose 'never' for the certificate-check on TTLS/PAP. As far as I know it depends on your institution which of the two (or possibly even more) authentication methods they use.

 

[Marox1]

My university don't use the certificate and yes they use TTLS/PAP. These are the options for the wifi:
?SSID: eduroam (en min?sculas)
?seguridad: 802.1x
?m?todo EAP: TTLS (Tunneled TLS)
?autenticaci?n interna o de fase 2 (inner Authentication): PAP

 

[Marox1]

Oh sorry, now I see that the question is for Alexander...

 

[Alexander Long]

Alexander: And you are sure that your institution uses TTLS/PAP for authentication? The process you describe sounds more like PEAP MS-CHAP v2 as you cannot choose 'never' for the certificate-check on TTLS/PAP. As far as I know it depends on your institution which of the two (or possibly even more) authentication methods they use.

You were right my school switched to peap ms-chap v2, it was TTLS-EAP yrs ago when I was undergrad there and try to configure on my Nokia N95. but I guess they switched sometime after that. But I thought back in 8.1 v1 should support TTLS-EAP
Wait second are you it is TTLS-PAP not TTLS-EAP? Because eduroam has to be 802.1x EAP

 

[Alexander Long]

Ok, I found this link https://msdn.microsoft.com/en-us/library/dn643706.aspx from Microsoft which apply to WP8.1 but I assume should same as w10m .
And from what I read from here, it dose support EAP-TTLS (PAP) .

 

[xbrtll]

Wait second are you it is TTLS-PAP not TTLS-EAP? Because eduroam has to be 802.1x EAP

I don't think TTLS-EAP ist a thing. Full version is EAP-TTLS/PAP, i.e. EAP-TTLS to authenticate to the network and then PAP to authenticate the user (if I recall that correctly). The problem lies in the PAP-part: I can enter my data, then windows asks me to accept the server certificate (i.e. the EAP-TTLS part seems to work) and after that it tells me the connection is not possible.

And from what I read from here, it dose support EAP-TTLS (PAP) .

Thanks, it's interesting that they mention PAP in the table but not in the explanation how to configure it later. I'll look into that and give it another try on monday.

 

[Alexander Long]

I did a little more search on this topic, looks like since back couples yrs ago, almost all mobile device has issues with TTLS-PAP (including iPhones blackberry, and I do remember I can't connect with Android for long time until one day it magically connected too) therefore all universities in Canada switched to more common PEAP MSChapv2 for both eduroam and their own secure network, some even just ditch their own, only have the unsecured one with eduroam replacing the secure one.

 

[Alexander Long]

I don't think TTLS-EAP ist a thing. Full version is EAP-TTLS/PAP, i.e. EAP-TTLS to authenticate to the network and then PAP to authenticate the user (if I recall that correctly). The problem lies in the PAP-part: I can enter my data, then windows asks me to accept the server certificate (i.e. the EAP-TTLS part seems to work) and after that it tells me the connection is not possible.

Thanks, it's interesting that they mention PAP in the table but not in the explanation how to configure it later. I'll look into that and give it another try on monday.

Hi, I am really cautious on this topic these days, since I also read some old pages from my school ITS support site, it did mention some thing like below:
"The recommended authentication protocols to use (EAP-PEAP with MS-CHAPv2) are given above, there are many other available combinations:
EAP-TTLS with CHAP, MS-CHAP and MS-CHAPv2 work and are also supported
EAP-TTLS with PAP is supported but strongly advised against (if used, the server must be authenticated by name and the certificate validated) as it may reveal your Network Access Token to third party sites
EAP-LEAP is not supported and will not work
EAP-FAST is not supported and will not work "
So if you don't mind , may I ask which Institute you are attending? And maybe the ITS support page link for eduroam?

 

[xbrtll]

Unfortunately the support pages are only in German, but I'll you a link anyway.

EAP-TTLS with PAP is supported but strongly advised against (if used, the server must be authenticated by name and the certificate validated) as it may reveal your Network Access Token to third party sites

My knowledge on the technical details is pretty limited, so I don't know if "may" means that it happens in practice and whether or not this would be a problem from a security or privacy point of view.

As my univerity provides a third WLAN I can use, the (maybe) missing TTLS/PAP-support is not that big of a problem to me, but it would be easier as I do not have to start VPN manually each time I connect to it. Or is this something my phone could do automatically?

 

[Alexander Long]

Sorry for not responding sonnet, I was away from campus for holiday until now. So today is did be able to connect my campus eduroam through TTLS too.
So click the table of EAP method, then you can chang eat from MS Chapv2 to TTLS. See if that would work with your university.

 

[xbrtll]

No, it does not. I can enter my username and password and am asked to accept the certificate. Then I'm told that authentication was not possible (I think that's due to the lack of PAP-support) and can reenter username and password once more before I get the message that the attempt to connect to eduroam has failed. See also attached screenshots.

 

[fusionfan]

You all have to understand that the authentication method is determined by your eduroam account PROVIDER, and NOT the location you are trying to use it. So if your home institute uses a method not possible to enable on your phone, it doesn't matter where you are, it is not going to work. Whereas if your home institute uses an other method it is going to work. I have the same issue: the institute supports EAP-TTLS / PAP, and while win 10 supports it, there is no way to enable it in W10M! You can push this setting using mobilde device management (which I / we don't have) but you cannot enable it. To repeat: the system supports it, you just cannot tell said system to use this specific method because nobody at Microsoft bothered to add a checkbox to the GUI since _YEARS_.

Since then, the institute had started supporting MS-CHAPv2, which again, does not work on my phone for some odd reason. Same error message all the time.

 

[Gjuro Kladaric]

neither of my windows phone 8.1 nor windows 10 mobile do work on our eduroam network. android does. iPhone does. so, just TTLS/PAP/certificate. end of story.