WPA2 Enterprise Authentication Without Certificate

Dear All,
I have Wifi Network, with WPA2 and Digital Certificate and EAP Protected EAP Authentication/Radius server Microsoft ISA
I have tryed with the last Wifi Pc driver to connect at the network, and I see that the PC connect using only the Username and password, without configure the Certificate on the Client!
After some Googleing I found that I should use the plus per-user certificates and EAP-TLS to solve the problem. It is true?
Best Regards,
Igor.

Hi ifabrizio
Might be a bit concerning that you are able to connect to the network using only user name and password!
EAP-TLS or PEAP solutions should be configured to leverage digital certificates for hardware trust identity.
"Authenticate as computer when computer information is available" to enable "Machine Authentication" AKA "Computer Authentication". Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.
If you don't have "Machine Authentication", your Group Policy will not function and non-cached users cannot log on to your machine even if they are given the proper permissions at the Domain level. "Machine Authentication" is needed to recreate the full "Wired" experience. In order for "Machine Authentication" to work, PEAP only requires that a Computer is joined to the domain. The computer will use its "Computer Password" to log on to the network. Note that for EAP-TLS or PEAP-EAP-TLS (stronger alternatives to PEAP) to work the computer must have a "Machine Certificate" installed from the Enterprise Root CA.
Hope this helps.
Jay

Similar Messages

IPad can't get in the internet via a WPA2 Enterprise setup

I've seen some similar posts and no real answers. My Office just got set up with Wireless, it's cisco gear and using RADUIS to authenticate. What they told us to do on the windows boxes was this:
Connect to the SSID
use WPA2 Enterprise Authentication
TKIP Encryption
Use PEAP Authentication
Uncheck the "Validate Server Certificate"
Authentication Method is EAP-MSCHAP v2 on the PEAP properties screen
Following these instructions on Windows 7 I can get on the network.
I tried this on my iPad:
connected to the network
selected WPA2 Enterprise
It Prompted my for my login/password
I entered them....
Then I got a certificate and it asked me to accept/install it, and I did
Then it connects to the access point and gets a signal
Even though I am connected and authenticated I can't get on the internet, and I get no IP address. Not a DHCP issue since other devices work.
Any ideas on alternate configurations, or what I'd need to do with the iPhone Configuration Utility to get this working?

"Unsupported" device - I've heard that before, too many times... =)
So after thinking on everything you've tried, it's safe to say that your AP is running PEAPv0 with EAP-MSCHAPv2 for Authentication. This is good news - as it is probably the most widely used Enterprise WiFi configuration, iOS devices should absolutely be compatible with this. Getting a non-domain XP PC connected was a great idea, as I have discovered that Windows XP is kind of "loose" in the way it handles PEAP certificates - it will accept any certificate given to it by a RADIUS server without question. Undoubtedly a big security hole, but it does have the advantage of being "user friendly." I don't think Apple's implementation is quite as loose, so even though you are manually accepting one certificate, you probably need more to complete the chain of trust required for your device to authenticate the server. This is a requirement for PEAP to function.
So at this point, I think your best bet would be to migrate over to the Credentials tab. If you're running the iPhone Config Utility on a PC which connects to the AP, you already have the certificates in your trusted certificate store - so simply hit the add button and add any relevant certificates. For example, if your domain is named "corporate", import any certificates bearing that domain. Once you've done this, head over to the Trust tab under WiFi and check off your newly imported certificates as being trusted for your connection.
In addition, if you can figure out what the name of the RADIUS server on the other end of the AP is doing the authentication, add it under "Trusted Certificate Names" - if you don't know it, you can also add a wildcard like "*.corporate" to trust any servers in your domain. This shotgun approach is probably your best bet for making it go initially.
You will know this is all working when you no longer get the dialog on your iPad to accept the certificate, and hopefully, you get an IP address.
We're truly in the thick of it now, and this is my last idea - so if this does not work, we will need to call on those stronger than I with iOS networking... or, you can call up your IT department and start the conversation off with the words "I bet you can't figure this out" - that always gets IT people going =)
Best of luck!
Sources:
http://howto.techworld.com/mobile-wireless/3451/use-peap-for-wireless-authentica tion/
http://images.apple.com/ipad/business/pdf/iPadDeploymentScenarios.pdf

TS1398 Does IOS 6.1.1 support WPA2-Enterprise?

Does IOS 6.1.1 on iPhone 4s support WPA2-Enterprise? If I choose other under Wi-Fi I can enter domain credentials and password, but as soon as the phone goes to sleep it no longer can connect to Wireless APs with WPA2-Enterprise authentication.

works fine here. Have you reset the network settings on the phone

Nokia Belle - EAP-PEAP authentication without Cert...

Its time for my half yearly bickering about the still non-support for EAP-PEAP authentication without server Certificates on Symbian Phone.
Here is my last thread begging for help from Nokia when Anna was released.
/t5/Software-Updates/EAP-PEAP-Authentication-without-Certificate-Is-it-fixed-in/td-p/1072133
My question remain the same.Does the new Nokia Belle support EAP-PEAP authentication without the requirement that a server certificate be present.
I have been living a life of ridicule and becomes an object of jokes and punchlines in office when it comes to the Phone that I carry. Lot of people now don't even know that there is company called Nokia. And when I tell them about it that say "Are you the guy carrying the phone that does not connect to our corporate network?".
If you read that earlier thread you know that none of the exotic workaround that some have been able to do, does not work with my office as our network administration has not installed any server certificate whatsoever on the access point.
I am fed of hearing from Nokia techs that this is supposed to be the secure and right way of doing things. When every other device, every smartphone, tablet, laptop supports this way of connecting to a EAP-PEAP access point why does Nokia has to keep this stance?
Nokia has kept everything open on the Nokia N8, it has everything that a anyone can ask for in a smartphone, so why is Nokia so adamant on this small matter of not requiring a server certificate?
Now that the WP7 line of Lumia devices are in the market can someone tell me if the problem exists on those phones too. I wont be surprised if this restriction is still there.
With Nokia going downhill so fast it does not help with this kind of attitude towards diehard Nokia followers.
Can someone from Nokia tech say once and for all if I can ever expect this thing to be fixed?
raman

ramany wrote:
What should be an appropriate title for this thread. There was an older thread for the same that i started six months back when Anna was released. So i this expecting something to happen with Belle.
If nothing happens I will probably start a new one when future updates to Symbian in Clara. Donna, Emma, Florina, Georgia, Hanna, Isabelle, Jenna, Kate, Linda, Marie, Nancy, Olivia, Patty, Quinn, Rita, Sabina, Terry, Uma, Vega, Wyome, Xandra, Yetta and Zoe are released.
I hope Symbian (Nokia) lasts that long, but the support of this comes in Belle.
I see no jokes yet...common guys.isn't anyone subjected to jokes because of this.
At least give me some so i can feed more to the one going around.
Well, I believe the example of EAP-TTLS + PAP authentication isn't 'without certificates'... it does use certificates, but EAP-TTLS + PAP just doesn't happen to be a supported authentication method with recent Symbian phones.
I'm not any sort of wireless authentication guru, but there's probably a better, more precise description of the authentication support (probably a few methods) that's currently missing in Symbian.
And a couple more details for some wireless authentication methods... I believe Windows users typically have to grab a third-party 'securew2' utility to support some of the more robust (read better, more secure) authentication methods for some networks.
I think one of the more valid arguments for EAP-TTLS + PAP in general, is that I believe it may be part of the 'Eduroam' standard, although MSCHAPv2 may also be substituted for PAP, IIRC... but again, I'm not a wireless authentication guru.
In any case, if well-known, widely-implemented (or soon to be implemented, for good reason) authentication methods aren't supported in Symbian, it just makes Symbian just looks a bit ridiculous and irrelevant.
Your previous thread was quite good, and it may make sense to keep bumping that thread for updates periodically. I noticed that someone mentioned an MSCHAPv2 scenario in that thread, but again... that's not actually helpful for resolving EAP-TTLS + PAP support, and I think that there's probably a concise way to describe the current 'missing authentication methods support' in Symbian.
It continues to baffle me how Nokia seems to have such a quiet, secretive presence on these forums, when I think it would make much more sense to publicly acknowledge relevant threads/discussions, and make a statement about planned fixes, updates, etc... rather than just have people wonder if/when Nokia is paying any attention to the discussions here.

Android Client working on WPA2 PEAP without certificate loaded

I am trying to figure out why the andriod phone will work on our Cisco WPA2 Enterprise PEAP wireless when we use a custom internal certificate for authentication with our Cisco 1200 series AP's, ACS 4.x, and AD user group/accounts.
The certificate is not loaded on the client, nor from what I learned is very difficult to import for use when trying to install a MS generated certificate
I did debugs between my regular Domain computer which has the domain certificate, and the Andriod and collected captures; see attachment tabs.
I do see that the certificate is used somehow and I do see what looks like a ldap lookup.
See the attached xls sheet with a debug tab for each the PC and the android.
I stripped out any sensitive account/domain info for viewing.
I'm not sure if this is a potential security loophole or not and welcome a discussion on this.

Really?
Its been a long time since I set this up and tested this and understood all the components. I just read up on it again and it appears your correct that PEAP only requires the server (ACS) side cert and the users credentials are protected during logon within MSCHAPv2.
If I recall, When I set up our enviroment, we had to install our domain cert on Pocket PC's (warehouse scanners), to get them to work with PEAP as the cert was not from a default trusted publisher. I don't understand why this was an issue then. Any ideas?
Our AD client computers all get the root cert by default, and all we do is push the wireless setting to the client by GP.
I was under the impression that we were protected by the client requiring the domain cert, and that pocket PC's, and other rogue wireless devices would not work without them. So how to best control rogue devices without using some NAP system?

Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?

L.S,
For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.
If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.
Is there still a safe way to deploy AD-authentication to BYOD clients?
Kind Regards,
Arjen

I have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.
Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :(

HT4718 wpa2 enterprise 802.11x protocol with pap authentication. Lion Reformat

My school has only wpa2 enterprise 802.11x protocol with pap authentication. Due to this I can not reinstall lion as a fresh copy. I realized that I can download lion again from the app store. Can it do a fresh install?

I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks

Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

Hello
We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
The clients are non-managed and from all variety (OS, wifi-software, ...).
The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
Thanks
Patrick

Hello Patrick,
As per your query i can suggest you the following steps-
Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
For more information you can refer to the link-
http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
Hope this will help you.

WAP4410N WPA2 Enterprise Mixed authentication problem against Cisco ACS 4.2

We have 3 x WAP4410N at new office setup in Singapore.
Customer asked us to setup those 3 AP to make client auth against an ACS 4.2 sitting in US office.
All the user notebooks were joined to Windows domain in US office, before sent out to Singapore office.
We configured APs with WPA2 Enterprise Mixed mode and entered radius server address and secrects correctly.
Logging from ACS shows that users are authenticated successfully but, on the user notebooks, authentication never seems successful and keeps authenticating.
We have tried with other option (RADIUS) but, problem persists.
Please help.

Hi Robert,
Firmware version is 2.0.4.2.
We have tested with WPA-personal, WPA2-personal and all worked.
For enterprise, we have tested using WPA-ent, WPA2-ent, WPA2-ent-mixed and RADIUS.
All did not work.
Client keeps flapping between auth and validation.
ACS logs showed that auth OK.
Syslog from AP showed that client was assiciated but it happened repeatedly.
<134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:28.720
<134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:28.720
<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:30.720
<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:30.720
<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:30.736
<134>Oct 28 16:13:31 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:32.689
Below is the diagram for your kind ref.
      US Office          Site-to-Site VPN    SG Office
ACS --- ASA ------------ Internet ------------ ASA5505 ------ 2960 PoE SW ----- 3 x WAP4410N
                                                                                                   \ \___ DNS/DHCP Server
                                                                                                    \____ Wired Clients
Note: SG office ASA is 5505 and outside interface is on Vlan 2, inside interface is on Vlan 1. 2960 switch is configured with all ports in Vlan 2. Vlan feature on WAP4410N is disabled. Layer3 communication among US office ACS, SG office ASA5505, DHCP server and WAP4410N is fine. All wired clients in SG office get IP from DHCP server. I feel this is a bit odd and you may need to know.
Do feel free to let me know, should you need further input from me. Thanks!

Installation of certificates for WPA2-Enterprise?

Can someone please tell me where I can find the instructions on how to install certificates required for WPA2-Enterprise WLAN support?
Thanks.
--Philip

Hi,
I dont know what yo want but first you must install library for ASMlib
there is link to libraries
http://www.oracle.com/technology/software/tech/linux/asmlib/rhel5.html
Regards,
Tom
http://oracledba.cz

WiFi WPA2 enterprise

I’m encountering problem setting up a wifi wpa2 Enterprise on my Iphone 4s. I set it up using Iphone configuration utility and settings are correct. The problem is that the connection don’t works. I’m sure setting are correct because I set it up the same wifi also on the Airbook with Lion and parameter and certificates used for authentication are exactly the same. Any idea on why on the iphon it don’t work?
Below some the log file.
Thanks
andrea
Jan 11 16:14:18 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
Jan 11 16:14:20 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
Jan 11 16:14:20 Scoia-Aifone timed[679] <Notice>: (Note ) CoreTime: Not setting system time to 01/11/2012 15:14:20 from NTP because time is unchanged
Jan 11 16:14:20 Scoia-Aifone eapolclient[680] <Notice>: en0 START
Jan 11 16:14:20 Scoia-Aifone timed[679] <Notice>: (Note ) CoreTime: Not setting time zone to Europe/Rome from Location
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]: lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANJoinManager::handleAssoc(): status = 2, reason = 0, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
Jan 11 16:14:21 Scoia-Aifone wifid[29] <Error>: WiFi:[347987661.158384]: Processing link event UP
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANJoinManager::handleAssoc(): status = 2, reason = 0, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: [14591.399631250]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -73, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 1, ssid[ 6] = "WIFI3D"
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because Join Mgr Busy 0 isWaitingforIP 1
Jan 11 16:14:22 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:24 Scoia-Aifone mDNSResponder[47] <Error>: mDNS_RegisterInterface: Frequent transitions for interface en0 (FE80:0000:0000:0000:F2CB:A1FF:FECB:ED60)
Jan 11 16:14:26 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:11 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Jan 11 16:14:27 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::checkRealTimeTraffic(): set roam parameters: counters Rx:1204 Tx:22
Jan 11 16:14:28 Scoia-Aifone eapolclient[680] <Notice>: en0 TLS: authentication failed with status 1
Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.238433]: Network WIFI3D Both autojoin and user join dates are NULL
Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.246099]: Processing link event DOWN
Jan 11 16:14:28 Scoia-Aifone eapolclient[680] <Notice>: en0 STOP
Jan 11 16:14:28 Scoia-Aifone eapolclient[681] <Notice>: en0 START
Jan 11 16:14:28 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.683288]: Processing link event UP
Jan 11 16:14:28 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:18 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 8, ssid[ 6] = "WIFI3D"
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]: lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: [14598.930095541]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 8, ssid[ 6] = "WIFI3D"
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because Join Mgr Busy 0 isWaitingforIP 1
Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:31 Scoia-Aifone eapolclient[681] <Notice>: en0 TLS: authentication failed with status 1
Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.532160]: Network WIFI3D Both autojoin and user join dates are NULL
Jan 11 16:14:31 Scoia-Aifone eapolclient[681] <Notice>: en0 STOP
Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.542420]: Processing link event DOWN
Jan 11 16:14:31 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:18 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Jan 11 16:14:31 Scoia-Aifone eapolclient[682] <Notice>: en0 START
Jan 11 16:14:31 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.974798]: Processing link event UP
Jan 11 16:14:31 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:21 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 11, ssid[ 6] = "WIFI3D"
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]: lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: [14602.222531083]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 12, ssid[ 6] = "WIFI3D"
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because Join Mgr Busy 0 isWaitingforIP 1
Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:34 Scoia-Aifone eapolclient[682] <Notice>: en0 TLS: authentication failed with status 1
Jan 11 16:14:34 Scoia-Aifone wifid[29] <Error>: WiFi:[347987674.708487]: Network WIFI3D Both autojoin and user join dates are NULL
Jan 11 16:14:34 Scoia-Aifone wifid[29] <Error>: WiFi:[347987674.716635]: Processing link event DOWN
Jan 11 16:14:34 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:21 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Jan 11 16:14:34 Scoia-Aifone eapolclient[682] <Notice>: en0 STOP
Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -76, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 14, ssid[ 6] = "WIFI3D"
Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
Jan 11 16:14:37 Scoia-Aifone mDNSResponder[47] <Error>: DeregisterInterface: Frequent transitions for interface en0 (FE80:0000:0000:0000:F2CB:A1FF:FECB:ED60)
Jan 11 16:14:39 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:24 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2

I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users. In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info. My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again. It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally. However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case.
Shawn Eftink
CCNA/CCDA
Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

WPA2 Enterprise connections don't work

Hi everyone,
Configuration: MacBook Pro 7,1, 2,4GHz, Mac OS X 10.6.5.
Three user accounts (one for me, two for friend's backup), two of them have admin rights. I'm using one of these accounts.
I'm having a strange issue with *WPA2 Enterprise*-based access points, namely, the private one on my university's campus, and the eduroam one. Eduroam is, roughly, a SSID that is available in participating institutions worldwide, and allows connection from personnel registered in any of these institutions without having to ask for a guest access.
On eduroam, one is supposed to select the eduroam SSID in the list of network available, select "Security: WPA2 Enterprise", and type his institutional email address as a username. "Password" should remain blank for now, and in front of the "802.1X", select "Auto". On clicking the "Connect" button for the first time, a "Check certificate" dialog should appear with three buttons, "Display", "Cancel", "Continue", where one would click "Continue". Finally, a "802.1X authentication" dialog would appear, when a user would put his email address as username, and type in his institutional password to log in. Then, the user would be online without further fuss.
On my university network, it's even simpler. One should select it, type in the IT login, then the corresponding password, before being allowed to be online.
On my normal user account, I never get the "Check certificate" dialog for eduroam, an on the uni's network, it never seems to connect. Ultimately, I get the exclamation point over the wireless waves, meaning that the card self-assigned an IP. Then it tries to connect again (the icon is waving), then fails again. No other authentication is affected, and a quick look in the logs doesn't show anything salient.
On the other user account, the connection to either of these SSID works as written, on the first try.
So it's no hardware issue.
I first tried to create a new wireless profile, and recreate the connection. It failed, once again, for both networks.
So to the Genius Bar I went. Since it's a login issue, we deleted the ~/Library/Keychans/login.keychain item, rebooted. Since the issue couldn't be reproduced in store, he advised me to delete the "session" keychain and reboot if the problem persisted. He asked me if the computer crashed while I was logged in anywhere in the past (before 10.6.5), and yes I said, adding that I let AppleJack do the automated repair. He checked with a colleague, on a tech forum, spent 30 min with me, but came back with the dreaded conclusion that, at least in that store, they ended up doing what he named "partial restore" to correct a similar issue, in contrast to "archive and install".
Off to the uni I went, and recreating the connection failed again. In the Access Keychain, I then removed the session keychain, with both the references and files (default is reference only), since they referred to passwords I already knew, rebooted, logged in, and tried to connect, to no avail. The other user account still works.
What else should I try? Ironically enough, I reinstalled OS X more times in two years than I did Windows in eight, and want to avoid the time-consuming step of reinstalling applications, and the very tricky part - ownership issues - of manually importing documents and only selected settings.

I was chasing a similar authentication issue on OS X ≥ 10.5.8 for quite some weeks. My setup does use MS 2008 Server (AD, NPS, Radius) and SonicWall SonicPoint (multi SSID on VLAN).
When I started evaluating the different options, I didn't realize such issues But when it came to the final usage guidelines I had serious issue connecting with Mac OS X to the WPA2 Enterprise Network (BlackBerry and iOS was never an issue)!
I finally did work out, that you can only authenticate once successfully if you use the "Ask to join networks" popup - instead I had to select the network manually from the airport, provide my credentials and select "remember this network"to store the network and it's radius profile! I guess this behavior may have something to do with the credentials stored/reused in/from the keychain for the second login.
Also, I did notice you have to make sure you quit your system preferences each time you expect a change due to newly stored networks or radius profiles!
Hope this may help other users to troubleshoot similar issues!

Cannot connect to WIFI with WPA2 enterprise security

I'm currently trying to switch my Wifi from WPA2 Personal to WPA2 Enterprise using a dd-wrt flashed TP-Link router and a Synology Diskstation as the RADIUS server. The diskstation also creates the CA certificate which I can download from there for all client devices.
Configuration on the side of the router appears to be fine, I've entered all the details for RADIUS authentication and left "WPA Algorithms" at its default setting "TKIP", other options being ("AES" and "TKIP+AES"). I said it appears to be fine because my Android phone connection is established succesfully using the following (default) parameters:
EAP method: PEAP
Phase 2 Auth: NONE (also works with MSCHAPV2, and probably other options)
CA cert: unspecified (didn't download it to smartphone, must be fetched automatically from router I guess)
User cert: unspecified
Identity: myDiskstationUsername
Anonymous Identity: (blank)
Password: myDiskstationPassword
So far, so good... I still cannot manage to get a connection from my laptop running Arch. Prefered method would be via "wicd". The best match seems to be the following configuration profile:
name = PEAP with TKIP/MSCHAPV2
author = Fralaltro
version = 1
require identity *Identity password *Password
optional ca_cert *Path_to_CA_Cert
protected password *Password
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="$_ESSID"
scan_ssid=$_SCAN
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=PEAP
identity="$_IDENTITY"
password="$_PASSWORD"
ca_cert="$_CA_CERT"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
But it's not working, both with and without specifing the optional path to the CA certificate. Any ideas what I could've been missing or any clues for debugging?
Last edited by saciel (2013-11-07 09:55:16)

Why don't you use netctl?
I'm using netctl to connect to my FreeRadius Server, and I use this config...
Description='A wireless connection using a custom network block configuration'
Interface=wlp0s29f7u3
Connection=wireless
Security=wpa-configsection
IP=static
Address='192.168.1.200/24'
Gateway='192.168.1.1'
DNS=('192.168.1.1')
WPAConfigSection=(
'ssid="SSID"'
'key_mgmt=WPA-EAP'
'eap=PEAP'
'phase2="auth=MSCHAPV2"'
'group=CCMP'
'pairwise=CCMP'
'identity="user"'
'password="password"'
'priority=1'

Creating a Configurator profile for ATV on WPA2 Enterprise?

Alright, so I have a couple of Apple TVs (latest version) which I want to get up and running on our wireless network here at work. We have a WPA/WPA2 Enterprise network. Our access point is simply an Airport Extreme and the RADIUS server is running on OS X Server 10.6.
I understand that I have to load the Apple TV with a profile to get it to connect to the wireless network but I can't for the life of me figure out what the correct settings are for my network. I'd ask our IT department but the problem is that I am the IT department.
When I try to connect using the profiles I've created I get the error "There was a problem connecting to the network. Check your settings and try again. (-369033215).
The first issue (I believe) is that I might not be choosing the right EAP types. In configurator I can choose TLS. TTLS, LEAP, PEAP, EAP-FAST, EAP-SIM, or EAP-AKA. I have no idea which one I should be choosing or how to figure out which types my network supports. Also some of them want me to enter an outer identity which again, I have no idea what to put there.
The second issue may be the trusted certificates - I may not have the correct one(s). When I check the RADIUS server settings, it shows that I'm using a self-signed certificate that I generated quite a while ago (we don't have any actual certs, just self-signed ones - small office, not my area of expertise so I didn't want to waste company money without knowing what I was doing). So, what I did was I opened up Keychain Access, found that certificate, exported it, and imported it into Configurator. I imported it into Trusted Certificates but I didn't put anything in for Trusted Server Certificate Names - should I put anything in there?
Any help is appreciated.

Ok that part I put above would go in your SQL, not in the report properties - you also want to replace p.product_image with whatever your BLOB column is, and p.product_id with your employee_id column.
The apex_util.get_blob_file_src basically does the same thing that you were doing but should be a little simpler to manage.
http://download.oracle.com/docs/cd/E14373_01/apirefs.32/e13369/apex_util.htm#CHDICGDA
So:
1) Edit your sql and try using this function instead of just calling the BLOB column.
2) Edit the column properties and put #PHOTO# as the link, and #EMPLOYEE_ID# (or whatever your primary key is called) as the Value.
3) If that long string is still in the number/character format field, clear it out.
4) If that still doesn't work, install the demo application that comes with Apex and look at Page 3. That is all I did.

Connecting to WPA/WPA2-Enterprised network

hi all,
i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
"Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
Name: wpa.mcgill.ca *
SSID: wpa.mcgill.ca *
Security Type: PEAP
User Name: McGill Username
User password: McGill Password
CA Certificate: Thawte Premium Server CA
Inner Link Security: EAP-MS-CHAP V2
Token: None Selected
Server subject: blank
Server San: blank "
Help plz
Solved!
Go to Solution.

idecline wrote:
hi all,
i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
"Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
Name: wpa.mcgill.ca *
SSID: wpa.mcgill.ca *
Security Type: PEAP
User Name: McGill Username
User password: McGill Password
CA Certificate: Thawte Premium Server CA
Inner Link Security: EAP-MS-CHAP V2
Token: None Selected
Server subject: blank
Server San: blank "
Help plz
Try configuring your N97 with these instructions:
Since your WLAN network seems to require more advanced PEAP authentication settings you should probably create / edit appriate WLAN connection profile, known as (Internet) Access Point, manually in a following manner:
1. Go to Tools -> Settings -> Connection -> Network Destinations
2. Check if your earlier failed attempt to connect has already created an non-funtional IAP named as your WLAN network SSID (look for a entry named wpa.mcgill.ca) under "Internet" destination.
3. If you can see existing IAP named as your WLAN SSID then you can Edit that one with necessary changes. (skip to 7.)
4. If you don't see any existing IAPs that are named like your WLAN network then go to the desired "Destination" (e.g. Internet) and select Options -> Add Connection Method.
5. Assuming you are in the coverage area of your WLAN network you can let phone "Automatically check for connection methods" (i.e. phone scans available WLAN networks) and you should be able to select the correct WLAN network name (wpa.mcgill.ca) from the list. Once you have selected the WLAN network your "Internet" Destination should now have been added with a new Access Point (IAP) that is named "wpa.mcgill.ca". Note that at this point the particular connection method is still incorrectly configured for your purposes (since by defaul it has EAP-SIM & EAP-AKA authentication methods enabled).
6. Now you should manually Edit your newly created wpa.mcgill.ca Internet Access Point with necessary PEAP settings.
7. Configure following WLAN and authentication settings:
"Connection name" defaults to name of your WLAN network (wpa.mcgill.ca) but you can also change this if you wish
- "Data Bearer" naturally needs to be "Wireless LAN"
- "WLAN network name" should match your WLAN network's name (SSID) exactly (wpa.mcgill.ca)
- "Network status": Public
- "WLAN network mode": Infrastructure
- "WLAN Security mode": WPA/WPA2
=> Go to "WLAN security settings"
- Ensure that "WPA/WPA2 mode is set to "EAP"
- Leave "WPA-2 Only mode" to "OFF" unless you are absolutely sure that your WLAN network is configured to stricly pure WPA2 mode (i.e. network might be configured to support both WPA and WPA2 security thus enabling WPA-2 Only mode on the phone will cause all your connection attempts to fail).
=> Go to "EAP plug-in configuration"
- Enable "EAP-PEAP" and make sure that "EAP-SIM" and "EAP-AKA" are disabled (via Options -> Disable)
=> Select "Configure" for EAP-PEAP authentication method
- Leave "Personal Certificate" to "Not defined"
- Select "Thawte Premium Server CA" to be used as an "Authority certificate"
- Set "User name in use" to "User defined" (since there is no Personal Certificate where it could be read automatically)
- Enter your username (McGill Username) to "Username" field
- Set "Realm in use" to "User defined" and leave following "Realm" field empty.
- Note that in case your username (McGill Username) contains the realm (i.e. format is username@realm ) then you can enter realm part of your ID to "Realm" field and enter only the username part to the "Username" field.
- Configure "Allow PEAPv0" to Yes
- Configure both "Allow PEAPv1" and "Allow PEAPv2" to "No"
=> Go to "EAP's" tab to configure inner authentication method for the PEAP (use the small arrow pointing right on top of the screen to move between tabs)
- Enable "EAP-MSCHAPv2" authentication method and Disable all other methods (Option -> Enable / Disable)
- Select "Edit" for the EAP-MSCHAPv2
- Enter you username (McGill Username) to "User name" field
- Configure "Prompt password" to No or Yes depending on whether you want your password to be prompted everytime you make an connection or if you prefer saving your password to following "Password" field permanenly so that it won't be prompted during everytime you connect to this WLAN network with PEAP/EAP-MSCHAPv2 authentication.
- If you you selected "No" to password prompting then enter your password (McGill Password) to "Password" field.
=> Exit the configuration with "Back" (several times) and you should hopefully be able to connect with this setup.
If needed you can also change the priority order of the connection methods (IAP's) within the Internet Destination since your new connection most likely ended up being lowest priority WLAN connection within your Internet destination. This should however not be a problem unless you have some other WLAN networks defined as an IAP and these other WLAN networks are simultaneously available at the location of the wpa.mcgill.ca WLAN network.
Hope this helps you to get connected!!
Message Edited by saataja on 17-Sep-2009 05:16 PM

WPA2 Enterprise Authentication Without Certificate

Similar Messages

Maybe you are looking for