WPA2-enterprise security question

Similar Messages

• WPA2 Enterprise setup question

  I have been trying to complete a WPA2 Enterprise setup, and I have hit a wall in troubleshooting. The current setup has two SSIDs, but the users only use one of these SSIDs, and that one is setup as WEP (I know...I know). I have been tasked with getting the users on a stronger security setup, and I thought that the best way would be to have them use WPA2 Enterprise, and they would authenticate to the network using their Active Directory user name and password. 
  I have been trying to get the secondary SSID converted over to do this, but I am stuck. I have setup the access point (Cisco 1140) the way that I believe should work, and I have also went through the Radius server (Microsoft Server 2008 R2) and set it up with some suggestions I have ran while researching.
  I am hoping someone can see what I am doing wrong, or guide me to setup a more secure connection. My networking/Cisco skills are intermediate so there are things that I miss or could improve on at times. 
  I am attaching the config on the access point, and some screen shots off of our Radius server.
  The radius server is  10.90.9.9
  SSID that I am trying to configure is AAA
  AP IP address 10.90.6.6
  Please let me know if there is any information that I am missing. I will get it to you right away.
  Edit - One thing I didn't include was that we don't have a certificate for this. Preferably I would like to set this up without a cert, and just have them authenticate with the user/pass from AD. If a cert is needed though, I can get one. Thanks :)
  Thanks.

  Hi Brent,
  Here is a working configuration for similar requirement using ACS as RADIUS server. Hope it is useful for you to get this working.
  http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
  Pls do not forget to rate our responses if it is useful to you.
  HTH
  Rasika

• Cannot connect to WIFI with WPA2 enterprise security

  I'm currently trying to switch my Wifi from WPA2 Personal to WPA2 Enterprise using a dd-wrt flashed TP-Link router and a Synology Diskstation as the RADIUS server. The diskstation also creates the CA certificate which I can download from there for all client devices.
  Configuration on the side of the router appears to be fine, I've entered all the details for RADIUS authentication and left "WPA Algorithms" at its default setting "TKIP", other options being ("AES" and "TKIP+AES"). I said it appears to be fine because my Android phone connection is established succesfully using the following (default) parameters:
  EAP method: PEAP
  Phase 2 Auth: NONE (also works with MSCHAPV2, and probably other options)
  CA cert: unspecified (didn't download it to smartphone, must be fetched automatically from router I guess)
  User cert: unspecified
  Identity: myDiskstationUsername
  Anonymous Identity: (blank)
  Password: myDiskstationPassword
  So far, so good... I still cannot manage to get a connection from my laptop running Arch. Prefered method would be via "wicd". The best match seems to be the following configuration profile:
  name = PEAP with TKIP/MSCHAPV2
  author = Fralaltro
  version = 1
  require identity *Identity password *Password
  optional ca_cert *Path_to_CA_Cert
  protected password *Password
  ctrl_interface=/var/run/wpa_supplicant
  network={
  ssid="$_ESSID"
  scan_ssid=$_SCAN
  proto=WPA
  key_mgmt=WPA-EAP
  pairwise=TKIP
  group=TKIP
  eap=PEAP
  identity="$_IDENTITY"
  password="$_PASSWORD"
  ca_cert="$_CA_CERT"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
  But it's not working, both with and without specifing the optional path to the CA certificate. Any ideas what I could've been missing or any clues for debugging?
  Last edited by saciel (2013-11-07 09:55:16)

  Why don't you use netctl?
  I'm using netctl to connect to my FreeRadius Server, and I use this config...
  Description='A wireless connection using a custom network block configuration'
  Interface=wlp0s29f7u3
  Connection=wireless
  Security=wpa-configsection
  IP=static
  Address='192.168.1.200/24'
  Gateway='192.168.1.1'
  DNS=('192.168.1.1')
  WPAConfigSection=(
  'ssid="SSID"'
  'key_mgmt=WPA-EAP'
  'eap=PEAP'
  'phase2="auth=MSCHAPV2"'
  'group=CCMP'
  'pairwise=CCMP'
  'identity="user"'
  'password="password"'
  'priority=1'

• Connecting Z10 to WPA2-Enterprise Wifi

  Haloo...
  Please help by giving any clue to connecting Blackberry Z10 to Office Wifi which is using WPA2-Enterprise security type.
  Thank you in advanced
  Regards,
  Tri Harnoko

  Hey harnoko,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  When adding a Wi-Fi network, change the security type to WPA2-Enterprise and fill out the required security information.
  Do you receive any specific errors when adding the Wi-Fi network?
  Let me know if you have any more questions.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• Setting up iPad, don't know what to select for security; WEP, WPA, WPA2, WPA Enterprise or WPA2 Enterprise.  We have service through Charter cable.

  Setting up iPad, don't know what to select for security; WEP, WPA, WPA2, WPA Enterprise or WPA2 Enterprise.  We have service through Charter cable.
  Thanks for your help!

  Choose the strongest security available on your router, preferably WPA2 using AES encryption and a long complex passphrase with at least 14 characters (the maximum is 63 characters).

• WAP4410N width Security-Mode WPA2-Enterprise and WDS-Repeater

  Hi,
  i have two WAP4410N with same Firmware 2.0.7.4. One Configured as AccessPoint with "Allow wireless signal to be repeated by a repeater." and correct MAC of the repeater.
  The Repeater has same settings (WPA2-Enterprise, both WAP4410N in B/G/N-Mode) configured as "Wireless WDS-Repeater" width correct MAC of first AP.
  Problem is, that the Repeater does not repeat anything, nothing in the logfile. Are my settings correct or should i use "Wireless Client/Repeater" in my case. Does WAP4410N support Repeating in WPA2-Enterprise?
  Thanks for your assistance

  A dumb question first of all - when you entered the mac address to repeat, did you use the wireless rather than the wired mac address?
  I also found that enabling http (wireless) access to the wap4410n repeater and then disconnecting the wired connection to the wap4410n ap helped set things up better.
  If you search these forums I uploaded beta firmware that works much better than the one you're using. Alternatively you could use wap encryption, it seems that using wpa2-personnel is what messes up the firmware you're using.

• Officejet 6000 wireless and WPA2-Enterprise network security

  I own an Officejet 6000 wireless printer. The manual says that it should be compatible with a wireless network with WPA2-Enterprise network security but when setting up the connection (I am using a macbook and am setting the printer up via usb connection) the newtork is listed but the security type is "unsupported." For whatever its worth it is listed 5 or 6 times but probably thats a different issue.
  I can still select the right network but it only asks for a security key, but my network security requires a log-in name and password.
  What can I do to get my printer connected to the network?

  I get the feeling that most of the people replying here don't know the difference between WPA2-Personal and WPA2-Enterprise.
  Personal has a passkey.
  Enterprise uses both a username and password, usually in conjunction with a Radius server (802.1X athentication).
  What we've had to do solve this problem is create a second SSID on the network that authenticates on WPA2-Personal. We use a really long password to secure the network, one that I will never be able to memorize in my lifetime.
  All we can hope for is that these enterprise-level vendors will, perhaps, gain a greater understanding of wireless authentication processes and the needs of actual enterprise customers who at least a percieved need for wireless printer capabilities. It used to be that customer was always right, though. Perhaps those days are gone...
  The other problem that probably ought to be addressed on consumer end is the fact that multicast tools that make AirPrint work (such as Bonjour), are being blocked from crossing between your wired and wireless networks, perhaps by the wireless controller or due to inefficient routing hierarchy or NAT/PAT issues. Solve this issue and you won't have a need for wireless printers.

• Can't create a WPA2-Enterprise wireless connection; missing Microsoft: PEAP

  OS: Windows 7 64-bit Enterprise
  Hardware: Lenovo T410S w/Intel 5300 ABGN Wireless
  If I try to build the wireless connection manually and choose WPA2-Enterprise, then click next, I get 'An unexpected error occurred.' and no options to configure; just close.
  I then tried to create a Preshared Key WPA2 connection. This worked fine. When I go to edit the connection, I have the ability to select the WPA2-Enterprise options, however in the list of Network Authentication methods (under Security Tab), I don't have
  the Microsoft: PEAP or SmartCard options. I only have Cisco: LEAP,PEAP,EAP-FAST and Intel: EAP-SIM,EAP-TTLS,EAP-AKA (6 entries).
  It's my theory that because the Microsoft options are missing, the wizard gets the unexpected error. I'm wondering how I get the MS ones back.

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  Do you have Symantec installed? It is said the issue could be due to conflict with Symantec Endpoint Protection. Please uninstall\reinstall Symantec
  if it is there.
  Best Regards
  Magon Liu
  TechNet Subscriber Support
  in forum. If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• Support for WPA-Enterprise, WPA2-Enterprise wifi s...

  hi all
  I try to connect my phone to corporate wifi but failed because the phones hangs. my company uses WPA2-Enterprise wifi. my phone clearly works with WPA2-Personal wifi security at home. will these profiles of security be supported in future update?

  Although this is the right section for this question, let us continue with your original post …

• IPad can't get in the internet via a WPA2 Enterprise setup

  I've seen some similar posts and no real answers. My Office just got set up with Wireless, it's cisco gear and using RADUIS to authenticate. What they told us to do on the windows boxes was this:
  Connect to the SSID
  use WPA2 Enterprise Authentication
  TKIP Encryption
  Use PEAP Authentication
  Uncheck the "Validate Server Certificate"
  Authentication Method is EAP-MSCHAP v2 on the PEAP properties screen
  Following these instructions on Windows 7 I can get on the network.
  I tried this on my iPad:
  connected to the network
  selected WPA2 Enterprise
  It Prompted my for my login/password
  I entered them....
  Then I got a certificate and it asked me to accept/install it, and I did
  Then it connects to the access point and gets a signal
  Even though I am connected and authenticated I can't get on the internet, and I get no IP address. Not a DHCP issue since other devices work.
  Any ideas on alternate configurations, or what I'd need to do with the iPhone Configuration Utility to get this working?

  "Unsupported" device - I've heard that before, too many times... =)
  So after thinking on everything you've tried, it's safe to say that your AP is running PEAPv0 with EAP-MSCHAPv2 for Authentication. This is good news - as it is probably the most widely used Enterprise WiFi configuration, iOS devices should absolutely be compatible with this. Getting a non-domain XP PC connected was a great idea, as I have discovered that Windows XP is kind of "loose" in the way it handles PEAP certificates - it will accept any certificate given to it by a RADIUS server without question. Undoubtedly a big security hole, but it does have the advantage of being "user friendly." I don't think Apple's implementation is quite as loose, so even though you are manually accepting one certificate, you probably need more to complete the chain of trust required for your device to authenticate the server. This is a requirement for PEAP to function.
  So at this point, I think your best bet would be to migrate over to the Credentials tab. If you're running the iPhone Config Utility on a PC which connects to the AP, you already have the certificates in your trusted certificate store - so simply hit the add button and add any relevant certificates. For example, if your domain is named "corporate", import any certificates bearing that domain. Once you've done this, head over to the Trust tab under WiFi and check off your newly imported certificates as being trusted for your connection.
  In addition, if you can figure out what the name of the RADIUS server on the other end of the AP is doing the authentication, add it under "Trusted Certificate Names" - if you don't know it, you can also add a wildcard like "*.corporate" to trust any servers in your domain. This shotgun approach is probably your best bet for making it go initially.
  You will know this is all working when you no longer get the dialog on your iPad to accept the certificate, and hopefully, you get an IP address.
  We're truly in the thick of it now, and this is my last idea - so if this does not work, we will need to call on those stronger than I with iOS networking... or, you can call up your IT department and start the conversation off with the words "I bet you can't figure this out" - that always gets IT people going =)
  Best of luck!
  Sources:
  http://howto.techworld.com/mobile-wireless/3451/use-peap-for-wireless-authentica tion/
  http://images.apple.com/ipad/business/pdf/iPadDeploymentScenarios.pdf

• IOS 5 WPA2 Enterprise WiFi Connectivity Issue

  In IOS 4 i was able to connect easy to my company Enterprise network using WPA2 Enterprise (With Domain username and password). While initail Wifi setup in IOS 4 it used to ask me for accepting a certificate. After upgrading i noticed that it does not ask for certificate anymore but still connects on first attempt. After turining wifi off and on Wifi does not connects automatically instead if i check that network it ask me to enter password and join (my company network does not use preshared key instead use Domain credentials).
  After googling i found out that from iOS 5 onward MD-5 signed certificates are no more supported. My network administrator is not interested in changing the signing method of certificate.
  Can any one please help me for fixing this issue?

  Hi Attiq 123,
  Thanks for the question. It sounds like you are experiencing issues with your network connection, specifically when connecting to Apple services like iCloud and the iTunes Store. The following resource provides some troubleshooting steps that you can try:
  Can't connect to the iTunes Store - Apple Support
  http://support.apple.com/en-us/HT201400
  You may also need to test to see if the specific ports on your Wi-Fi network are accessible:
  iTunes: Advanced iTunes Store troubleshooting - Apple Support
  http://support.apple.com/en-us/TS3297
  Make sure the issue is with the iTunes Store only. (You need an Internet connection to access the iTunes Store).
  Open a secure website to test if you are online as is necessary for the iTunes Store. This also tests if the main ports 80 and 443 are accessible. If the website works but the iTunes Store does not, it is most likely a firewall blocking the iTunes software or servers. If this is the case, follow the steps in the "Blocked by software firewall" section below.
  - Matt M.

• MAC OS 10.4.11 connecting to WPA2 Enterprise not permanently working

  Hi,
  I have an issue with the following environment. I will try to simply my wording to help understand the problem.
  Hardware: Macbook Pro 17" Intel Core 2 Duo and Macbook laptops
  Operating System: Both run MAC OS 10.4.11 fully updated (According to Apple Reps, this operating system is no longer supported)
  Airport cards: Both have Airport Extreme cards. The Macbook Pro's card is using Firmware version 1.4.4 ( card type requirement to connect to WPA2 Enterprise network)
  Connection type: Connected via PEAP (Inner Protocol:MSCHAPv2)
  Wireless Access Point (WAP): Cisco Aironet 1142: Macbook connects to WAP to gain access to the Internet.
  Cisco ACS version 5 server (validates macbook username and password entries to Microsoft AD servers.)
  Microsoft Windows Server 2003 with Active Directory (holds user accounts) 
  Other Operating systems MAC OS 10.5 to MAC OS 10.7 (Leopard, Snow Leopard, and Lion make automatic connections.)
  Basically, the process is that the macbook user enters in their email username and password into a WPA2 Enterprise wireless connection. The Cisco 1142 broadcasts the SSID for the user to connect to. Once the wireless connection is made to the Cisco 1142 WAP, the WAP sends the username and password to the ACS server. The ACS server verifies the username and password from the macbook to Microsoft Windows Server AD user accounts. If the password is validated, then the ACS grants access to the wireless Internet to the macbook user.
  The wireless configuration involves the following process:
  1. Click on the desktop, Go should be available now.
  2. Click on Go, then Applications. The Applications window will appear.
  3. Click on Internet Connect.
  4. By default, The 802.1X connection is not available. We will be using the 802.1X connection to enter and save the username and password. Click on File and select "New 802.1X Connection."
  5. A windows should appear. Under Configurations, select Edit Configurations.
  6. An 802.1X windows will appear to enter in the following:
  - Description: name of connection
  - Network port: Airport
  -User Name: domain\username or just username of email account
  -password: password for email account
  -Wireless Network: SSID of Cisco Aironet 1142 Wireless Access Point (WAP)
  -Authentication PEAP configured with outer identity of anonymous. We uncheck TTLS, EAP-FAST, LEAP, and MD5.
  7. Click Ok. Select Connect and it should connect to the SSID if the username and password are valid accounts.
  8. Select File and then "Export 802.1X Configuration to login Window."
  To verify connection:
  1. We go to Apple - System Preferences and select Network.
  2. The Airport should say that it is conected to the SSID. You are connected to the Internet via Airport.
  3. Go a little deeper, we click on configure for the Airport.
  4. Under By default join: select Preferred networks. Under network name, we should see the SSID connection. We select it and click on the edit button.
  5. We verify that the connection has Network Name, Wireless Security, User Name, Password, and 802.1X Configuration entered in correctly. We select Ok after verification or modification. Then we select Apply Now to save any changes.
  ---------------------------------------------------------------The Problems---------------------------------------------------------------------
  1. When shutting down the system and then turning it on. The Airport doesn't make a connecation to the SSID being broadcasted automatically. We would have to turn the airport off and back on for it to make an connection.
  2. When the laptop is left idle or goes to sleep, the wireless connection drops. The user would have to turn the airport off and back on to stay connected.
  Is there a fix for this?
  Thank you to anyone that would take time to read this and provide helpful feedback.

  The "v" key at startup is not Safe Mode. Try holding the Shift key down and restart for Safe Mode. This will disable extensions and help it start. It also checks some things out.
  Can you start it up from your Tiger disc? Hold the C key down at startup until you see the Apple.
  Your hard drive may be going kaput. Hope you have a good backup.

• Connecting to WPA/WPA2-Enterprised network

  hi all,
  i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
  "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
  Name: wpa.mcgill.ca *
  SSID: wpa.mcgill.ca *
  Security Type: PEAP
  User Name: McGill Username
  User password: McGill Password
  CA Certificate: Thawte Premium Server CA
  Inner Link Security: EAP-MS-CHAP V2
  Token: None Selected
  Server subject: blank
  Server San: blank                                                                         "
  Help plz
  Solved!
  Go to Solution.

  idecline wrote:
  hi all,
  i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
  "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
  Name: wpa.mcgill.ca *
  SSID: wpa.mcgill.ca *
  Security Type: PEAP
  User Name: McGill Username
  User password: McGill Password
  CA Certificate: Thawte Premium Server CA
  Inner Link Security: EAP-MS-CHAP V2
  Token: None Selected
  Server subject: blank
  Server San: blank                                                                         "
  Help plz
  Try configuring your N97 with these instructions:
  Since your WLAN network seems to require more advanced PEAP authentication settings you should probably create / edit appriate WLAN connection profile, known as (Internet) Access Point, manually in a following manner:
  1. Go to Tools -> Settings -> Connection -> Network Destinations
  2. Check if your earlier failed attempt to connect has already created an non-funtional IAP named as your WLAN network SSID (look for a entry named wpa.mcgill.ca) under "Internet" destination.
  3. If you can see existing IAP named as your WLAN SSID then you can Edit that one with necessary changes. (skip to 7.)
  4. If you don't see any existing IAPs that are named like your WLAN network then go to the desired "Destination" (e.g. Internet) and select Options -> Add Connection Method.
  5. Assuming you are in the coverage area of your WLAN network you can let phone "Automatically check for connection methods" (i.e. phone scans available WLAN networks) and you should be able to select the correct WLAN network name (wpa.mcgill.ca) from the list. Once you have selected the WLAN network your "Internet" Destination should now have been added with a new Access Point (IAP) that is named "wpa.mcgill.ca". Note that at this point the particular connection method is still incorrectly configured for your purposes (since by defaul it has EAP-SIM & EAP-AKA authentication methods enabled).
  6. Now you should manually Edit your newly created wpa.mcgill.ca Internet Access Point with necessary PEAP settings.
  7. Configure following WLAN and authentication settings:
    "Connection name" defaults to name of your WLAN network (wpa.mcgill.ca) but you can also change this if you wish
  - "Data Bearer" naturally needs to be "Wireless LAN"
  - "WLAN network name" should match your WLAN network's name (SSID) exactly (wpa.mcgill.ca)
  - "Network status": Public
  - "WLAN network mode": Infrastructure
  - "WLAN Security mode": WPA/WPA2
   => Go to "WLAN security settings"
  - Ensure that "WPA/WPA2 mode is set to "EAP"
  - Leave "WPA-2 Only mode" to "OFF" unless you are absolutely sure that your WLAN network is configured to stricly pure WPA2 mode (i.e. network might be configured to support both WPA and WPA2 security thus enabling WPA-2 Only mode on the phone will cause all your connection attempts to fail).
   => Go to "EAP plug-in configuration"
  - Enable "EAP-PEAP" and make sure that "EAP-SIM" and "EAP-AKA" are disabled (via Options -> Disable)
   => Select "Configure" for EAP-PEAP authentication method
   - Leave "Personal Certificate" to "Not defined"
  - Select "Thawte Premium Server CA" to be used as an "Authority certificate"
  - Set "User name in use" to "User defined" (since there is no Personal Certificate where it could be read automatically)
  - Enter your username (McGill Username) to "Username" field
  - Set "Realm in use" to "User defined" and leave following "Realm" field empty.
  - Note that in case your username (McGill Username) contains the realm (i.e. format is username@realm ) then you can enter realm part of your ID to "Realm" field and enter only the username part to the "Username" field.
  - Configure "Allow PEAPv0" to Yes
  - Configure both "Allow PEAPv1" and "Allow PEAPv2" to "No"
  => Go to "EAP's" tab to configure inner authentication method for the PEAP (use the small arrow pointing right on top of the screen to move between tabs)
  - Enable "EAP-MSCHAPv2" authentication method and Disable all other methods (Option -> Enable / Disable)
  - Select "Edit" for the EAP-MSCHAPv2
  - Enter you username (McGill Username) to "User name" field
  - Configure "Prompt password" to No or Yes depending on whether you want your password to be prompted everytime you make an connection or if you prefer saving your password to following "Password" field permanenly so that it won't be prompted during everytime you connect to this WLAN network with PEAP/EAP-MSCHAPv2 authentication.
  - If you you selected "No" to password prompting then enter your password (McGill Password) to "Password" field.
  => Exit the configuration with "Back" (several times) and you should hopefully be able to connect with this setup.
  If needed you can also change the priority order of the connection methods (IAP's) within the Internet Destination since your new connection most likely ended up being lowest priority WLAN connection within your Internet destination. This should however not be a problem unless you have some other WLAN networks defined as an IAP and these other WLAN networks are simultaneously available at the location of the wpa.mcgill.ca WLAN network.
  Hope this helps you to get connected!!
  Message Edited by saataja on 17-Sep-2009 05:16 PM

• WiFi WPA2 Enterprise not workign

  Hi 
  I am the network administrator of Wi Fi over Enterprise, we have now 100 users trying to connect with Playbook but it have not been posible. we use WPA2 Enterprise EAP-TLS. First it was very dificult to download the cert to the device, We have accomplish that but we have not been able to connect toour network. 
  we use GeoTrust Global CA and Equifax Secure Certificate Authority.
  Thanks in advance.

  Hi rafaelsus
  May be this kb's From BB database can help you on that!
  KB27269
  KB03735
  KB04359
  KB05227
  KB02068
  KB19236
  Hope this helps you!!
  Please give kudos or mark as a solution if this was helpful!! Thanks!!!!!!

• WPA2 Enterprise and autonomous 1231

  I have a bunch of standalone AIR-AP1231G-A-K9 running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2 which is currently setup for guest and company ssid. The guest I don't care but for company, it goes back to a Microsoft IAS radious Certificate Authority using WEP. I want to migrate to WPA2 Enterprise without effecting the current setup so want to create some type of testing. Can I do so or do I need to blow away wavenet with WEP altogether. If so, any sample configs out there?

  Since you'll have to touch all the clients in order to change your security/encryption, why not add another SSID and define it as WPA2/Enterprise and point it to the same IAS server? I'm pretty sure that IAS will support that (I know your AP's will). Try it on one AP, then configure the others, then migrate your clients (kill the old SSID when you're done).