WPA2 Enterprise setup question

Similar Messages

• IPad can't get in the internet via a WPA2 Enterprise setup

  I've seen some similar posts and no real answers. My Office just got set up with Wireless, it's cisco gear and using RADUIS to authenticate. What they told us to do on the windows boxes was this:
  Connect to the SSID
  use WPA2 Enterprise Authentication
  TKIP Encryption
  Use PEAP Authentication
  Uncheck the "Validate Server Certificate"
  Authentication Method is EAP-MSCHAP v2 on the PEAP properties screen
  Following these instructions on Windows 7 I can get on the network.
  I tried this on my iPad:
  connected to the network
  selected WPA2 Enterprise
  It Prompted my for my login/password
  I entered them....
  Then I got a certificate and it asked me to accept/install it, and I did
  Then it connects to the access point and gets a signal
  Even though I am connected and authenticated I can't get on the internet, and I get no IP address. Not a DHCP issue since other devices work.
  Any ideas on alternate configurations, or what I'd need to do with the iPhone Configuration Utility to get this working?

  "Unsupported" device - I've heard that before, too many times... =)
  So after thinking on everything you've tried, it's safe to say that your AP is running PEAPv0 with EAP-MSCHAPv2 for Authentication. This is good news - as it is probably the most widely used Enterprise WiFi configuration, iOS devices should absolutely be compatible with this. Getting a non-domain XP PC connected was a great idea, as I have discovered that Windows XP is kind of "loose" in the way it handles PEAP certificates - it will accept any certificate given to it by a RADIUS server without question. Undoubtedly a big security hole, but it does have the advantage of being "user friendly." I don't think Apple's implementation is quite as loose, so even though you are manually accepting one certificate, you probably need more to complete the chain of trust required for your device to authenticate the server. This is a requirement for PEAP to function.
  So at this point, I think your best bet would be to migrate over to the Credentials tab. If you're running the iPhone Config Utility on a PC which connects to the AP, you already have the certificates in your trusted certificate store - so simply hit the add button and add any relevant certificates. For example, if your domain is named "corporate", import any certificates bearing that domain. Once you've done this, head over to the Trust tab under WiFi and check off your newly imported certificates as being trusted for your connection.
  In addition, if you can figure out what the name of the RADIUS server on the other end of the AP is doing the authentication, add it under "Trusted Certificate Names" - if you don't know it, you can also add a wildcard like "*.corporate" to trust any servers in your domain. This shotgun approach is probably your best bet for making it go initially.
  You will know this is all working when you no longer get the dialog on your iPad to accept the certificate, and hopefully, you get an IP address.
  We're truly in the thick of it now, and this is my last idea - so if this does not work, we will need to call on those stronger than I with iOS networking... or, you can call up your IT department and start the conversation off with the words "I bet you can't figure this out" - that always gets IT people going =)
  Best of luck!
  Sources:
  http://howto.techworld.com/mobile-wireless/3451/use-peap-for-wireless-authentica tion/
  http://images.apple.com/ipad/business/pdf/iPadDeploymentScenarios.pdf

• WPA2-enterprise security question

  I will be attending ETSU (East TN State U) as a graduate student this fall. I have purchased a new iPad 3G and want to use it on the campus network. I have read that on some campuses there have been problems with the wireless iPads working on university networks. Will I have a problem using mine at ETSU?  
  I bought the Wi-Fi and 3G version just in case, but would prefer to use it as a wi-fi only device.  
  I emailed the OIT dept on campus and they said that they might be able to connect the iPad to the wireless, but they can not promise me that it will work.  They tell me to check my iPad to make sure that it comes with WPA2-enterprise security. 
  What is WPA2-enterprise security and does my iPad have this? Will I be able to use it on campus come August?
  Any advice would be helpful.

  Alec Edworthy wrote:
  The issue has been with DHCP and the iPad not renewing its lease when it should do. This has lead some sites to ban (through rule or a technological means) some or all iPads. The solution is to turn wireless off and on again or do not allow the screen to turn off. You can find more information at,
  http://www.net.princeton.edu/announcements/ipad-iphoneos32-stops-renewing-lease- keeps-using-IP-address.html
  Apple should be fixing this in an update in the future.
  Alec
  Unfortunately, DHCP or Princeton issues have absolutely nothing to do with the question the OP is asking. FYI, no university has banned the iPad from their network.
  As has already been stated by rutiger the iPad should work with WPA2 Enterprise.
  For more on iPad and WPA2 Enterprise security see: http://www.apple.com/ipad/business/pdf/iPadSecurityOverview.pdf

• Can the WAP4410N be setup with WPA2-Enterprise and also be repeater by another WAP4410N?

  I have AP1 setup with WPA2-Enterprise. How would I setup AP2 (WAP4410N) to be a repeater for AP1?

  Hi Alec,
  Thanks for participating in the Small Business Support Community. I've posed your question to our engineers and the short answer is "no".
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  WAP4410N can only repeat or bridge other supported Small Business APs/Routers.
  Thanks again for your participation and, although probably not the answer you wanted, I hope this helps.
  Stephanie Reaves
  Cisco Small Business

• IOS 5 WPA2 Enterprise WiFi Connectivity Issue

  In IOS 4 i was able to connect easy to my company Enterprise network using WPA2 Enterprise (With Domain username and password). While initail Wifi setup in IOS 4 it used to ask me for accepting a certificate. After upgrading i noticed that it does not ask for certificate anymore but still connects on first attempt. After turining wifi off and on Wifi does not connects automatically instead if i check that network it ask me to enter password and join (my company network does not use preshared key instead use Domain credentials).
  After googling i found out that from iOS 5 onward MD-5 signed certificates are no more supported. My network administrator is not interested in changing the signing method of certificate.
  Can any one please help me for fixing this issue?

  Hi Attiq 123,
  Thanks for the question. It sounds like you are experiencing issues with your network connection, specifically when connecting to Apple services like iCloud and the iTunes Store. The following resource provides some troubleshooting steps that you can try:
  Can't connect to the iTunes Store - Apple Support
  http://support.apple.com/en-us/HT201400
  You may also need to test to see if the specific ports on your Wi-Fi network are accessible:
  iTunes: Advanced iTunes Store troubleshooting - Apple Support
  http://support.apple.com/en-us/TS3297
  Make sure the issue is with the iTunes Store only. (You need an Internet connection to access the iTunes Store).
  Open a secure website to test if you are online as is necessary for the iTunes Store. This also tests if the main ports 80 and 443 are accessible. If the website works but the iTunes Store does not, it is most likely a firewall blocking the iTunes software or servers. If this is the case, follow the steps in the "Blocked by software firewall" section below.
  - Matt M.

• Can't create a WPA2-Enterprise wireless connection; missing Microsoft: PEAP

  OS: Windows 7 64-bit Enterprise
  Hardware: Lenovo T410S w/Intel 5300 ABGN Wireless
  If I try to build the wireless connection manually and choose WPA2-Enterprise, then click next, I get 'An unexpected error occurred.' and no options to configure; just close.
  I then tried to create a Preshared Key WPA2 connection. This worked fine. When I go to edit the connection, I have the ability to select the WPA2-Enterprise options, however in the list of Network Authentication methods (under Security Tab), I don't have
  the Microsoft: PEAP or SmartCard options. I only have Cisco: LEAP,PEAP,EAP-FAST and Intel: EAP-SIM,EAP-TTLS,EAP-AKA (6 entries).
  It's my theory that because the Microsoft options are missing, the wizard gets the unexpected error. I'm wondering how I get the MS ones back.

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  Do you have Symantec installed? It is said the issue could be due to conflict with Symantec Endpoint Protection. Please uninstall\reinstall Symantec
  if it is there.
  Best Regards
  Magon Liu
  TechNet Subscriber Support
  in forum. If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• Connecting to WPA/WPA2-Enterprised network

  hi all,
  i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
  "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
  Name: wpa.mcgill.ca *
  SSID: wpa.mcgill.ca *
  Security Type: PEAP
  User Name: McGill Username
  User password: McGill Password
  CA Certificate: Thawte Premium Server CA
  Inner Link Security: EAP-MS-CHAP V2
  Token: None Selected
  Server subject: blank
  Server San: blank                                                                         "
  Help plz
  Solved!
  Go to Solution.

  idecline wrote:
  hi all,
  i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
  "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
  Name: wpa.mcgill.ca *
  SSID: wpa.mcgill.ca *
  Security Type: PEAP
  User Name: McGill Username
  User password: McGill Password
  CA Certificate: Thawte Premium Server CA
  Inner Link Security: EAP-MS-CHAP V2
  Token: None Selected
  Server subject: blank
  Server San: blank                                                                         "
  Help plz
  Try configuring your N97 with these instructions:
  Since your WLAN network seems to require more advanced PEAP authentication settings you should probably create / edit appriate WLAN connection profile, known as (Internet) Access Point, manually in a following manner:
  1. Go to Tools -> Settings -> Connection -> Network Destinations
  2. Check if your earlier failed attempt to connect has already created an non-funtional IAP named as your WLAN network SSID (look for a entry named wpa.mcgill.ca) under "Internet" destination.
  3. If you can see existing IAP named as your WLAN SSID then you can Edit that one with necessary changes. (skip to 7.)
  4. If you don't see any existing IAPs that are named like your WLAN network then go to the desired "Destination" (e.g. Internet) and select Options -> Add Connection Method.
  5. Assuming you are in the coverage area of your WLAN network you can let phone "Automatically check for connection methods" (i.e. phone scans available WLAN networks) and you should be able to select the correct WLAN network name (wpa.mcgill.ca) from the list. Once you have selected the WLAN network your "Internet" Destination should now have been added with a new Access Point (IAP) that is named "wpa.mcgill.ca". Note that at this point the particular connection method is still incorrectly configured for your purposes (since by defaul it has EAP-SIM & EAP-AKA authentication methods enabled).
  6. Now you should manually Edit your newly created wpa.mcgill.ca Internet Access Point with necessary PEAP settings.
  7. Configure following WLAN and authentication settings:
    "Connection name" defaults to name of your WLAN network (wpa.mcgill.ca) but you can also change this if you wish
  - "Data Bearer" naturally needs to be "Wireless LAN"
  - "WLAN network name" should match your WLAN network's name (SSID) exactly (wpa.mcgill.ca)
  - "Network status": Public
  - "WLAN network mode": Infrastructure
  - "WLAN Security mode": WPA/WPA2
   => Go to "WLAN security settings"
  - Ensure that "WPA/WPA2 mode is set to "EAP"
  - Leave "WPA-2 Only mode" to "OFF" unless you are absolutely sure that your WLAN network is configured to stricly pure WPA2 mode (i.e. network might be configured to support both WPA and WPA2 security thus enabling WPA-2 Only mode on the phone will cause all your connection attempts to fail).
   => Go to "EAP plug-in configuration"
  - Enable "EAP-PEAP" and make sure that "EAP-SIM" and "EAP-AKA" are disabled (via Options -> Disable)
   => Select "Configure" for EAP-PEAP authentication method
   - Leave "Personal Certificate" to "Not defined"
  - Select "Thawte Premium Server CA" to be used as an "Authority certificate"
  - Set "User name in use" to "User defined" (since there is no Personal Certificate where it could be read automatically)
  - Enter your username (McGill Username) to "Username" field
  - Set "Realm in use" to "User defined" and leave following "Realm" field empty.
  - Note that in case your username (McGill Username) contains the realm (i.e. format is username@realm ) then you can enter realm part of your ID to "Realm" field and enter only the username part to the "Username" field.
  - Configure "Allow PEAPv0" to Yes
  - Configure both "Allow PEAPv1" and "Allow PEAPv2" to "No"
  => Go to "EAP's" tab to configure inner authentication method for the PEAP (use the small arrow pointing right on top of the screen to move between tabs)
  - Enable "EAP-MSCHAPv2" authentication method and Disable all other methods (Option -> Enable / Disable)
  - Select "Edit" for the EAP-MSCHAPv2
  - Enter you username (McGill Username) to "User name" field
  - Configure "Prompt password" to No or Yes depending on whether you want your password to be prompted everytime you make an connection or if you prefer saving your password to following "Password" field permanenly so that it won't be prompted during everytime you connect to this WLAN network with PEAP/EAP-MSCHAPv2 authentication.
  - If you you selected "No" to password prompting then enter your password (McGill Password) to "Password" field.
  => Exit the configuration with "Back" (several times) and you should hopefully be able to connect with this setup.
  If needed you can also change the priority order of the connection methods (IAP's) within the Internet Destination since your new connection most likely ended up being lowest priority WLAN connection within your Internet destination. This should however not be a problem unless you have some other WLAN networks defined as an IAP and these other WLAN networks are simultaneously available at the location of the wpa.mcgill.ca WLAN network.
  Hope this helps you to get connected!!
  Message Edited by saataja on 17-Sep-2009 05:16 PM

• Support for WPA-Enterprise, WPA2-Enterprise wifi s...

  hi all
  I try to connect my phone to corporate wifi but failed because the phones hangs. my company uses WPA2-Enterprise wifi. my phone clearly works with WPA2-Personal wifi security at home. will these profiles of security be supported in future update?

  Although this is the right section for this question, let us continue with your original post …

• Bridging a WPA2 Enterprise Radius Server (Lion Server) to Apple TV

  Hello,
  I was wondering if anyone can help me out with this setup that I have with Lion Server. Recently I set up my Airport Extreme to use Radius and bind it to my Lion Server for Authentication. Radius works with most of my devices, except for my ATV2 (which is in a different room from the AIrport Extreme.) As most of you may know, ATV2 doesn't support WPA2 Enterprise networks.
  Ideally what I would like to do is have the Apple TV connect to my wireless network for all of my videos that are shared on a HD connected to my Lion Server. I was thinking about looking for a WPA2 enterprise wireless bridge with an Ethernet port so that I can connect the ATV to the bridge and have the bridge connect to my Airport Extreme. However, here is what I can not figure out. How can I get that bridge to authenticate to the Radius Server on Lion Server? From my understanding the Radius service on the Lion Server uses its own proprietary radius server to where I couldn't get the bridge to cnnect.
  Please let me know your thoughts. If it helps, I have a 1st generation TC that I can place in the other room. However, I couldn't see any functionality in Airport Utility that would allow me to bridge that box to the WPA 2 Enterprise network.

  Hello,
  I was wondering if anyone can help me out with this setup that I have with Lion Server. Recently I set up my Airport Extreme to use Radius and bind it to my Lion Server for Authentication. Radius works with most of my devices, except for my ATV2 (which is in a different room from the AIrport Extreme.) As most of you may know, ATV2 doesn't support WPA2 Enterprise networks.
  Ideally what I would like to do is have the Apple TV connect to my wireless network for all of my videos that are shared on a HD connected to my Lion Server. I was thinking about looking for a WPA2 enterprise wireless bridge with an Ethernet port so that I can connect the ATV to the bridge and have the bridge connect to my Airport Extreme. However, here is what I can not figure out. How can I get that bridge to authenticate to the Radius Server on Lion Server? From my understanding the Radius service on the Lion Server uses its own proprietary radius server to where I couldn't get the bridge to cnnect.
  Please let me know your thoughts. If it helps, I have a 1st generation TC that I can place in the other room. However, I couldn't see any functionality in Airport Utility that would allow me to bridge that box to the WPA 2 Enterprise network.

• WPA2 Enterprise and autonomous 1231

  I have a bunch of standalone AIR-AP1231G-A-K9 running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2 which is currently setup for guest and company ssid. The guest I don't care but for company, it goes back to a Microsoft IAS radious Certificate Authority using WEP. I want to migrate to WPA2 Enterprise without effecting the current setup so want to create some type of testing. Can I do so or do I need to blow away wavenet with WEP altogether. If so, any sample configs out there?

  Since you'll have to touch all the clients in order to change your security/encryption, why not add another SSID and define it as WPA2/Enterprise and point it to the same IAS server? I'm pretty sure that IAS will support that (I know your AP's will). Try it on one AP, then configure the others, then migrate your clients (kill the old SSID when you're done).

• WPA2 Enterprise connections don't work

  Hi everyone,
  Configuration: MacBook Pro 7,1, 2,4GHz, Mac OS X 10.6.5.
  Three user accounts (one for me, two for friend's backup), two of them have admin rights. I'm using one of these accounts.
  I'm having a strange issue with *WPA2 Enterprise*-based access points, namely, the private one on my university's campus, and the eduroam one. Eduroam is, roughly, a SSID that is available in participating institutions worldwide, and allows connection from personnel registered in any of these institutions without having to ask for a guest access.
  On eduroam, one is supposed to select the eduroam SSID in the list of network available, select "Security: WPA2 Enterprise", and type his institutional email address as a username. "Password" should remain blank for now, and in front of the "802.1X", select "Auto". On clicking the "Connect" button for the first time, a "Check certificate" dialog should appear with three buttons, "Display", "Cancel", "Continue", where one would click "Continue". Finally, a "802.1X authentication" dialog would appear, when a user would put his email address as username, and type in his institutional password to log in. Then, the user would be online without further fuss.
  On my university network, it's even simpler. One should select it, type in the IT login, then the corresponding password, before being allowed to be online.
  On my normal user account, I never get the "Check certificate" dialog for eduroam, an on the uni's network, it never seems to connect. Ultimately, I get the exclamation point over the wireless waves, meaning that the card self-assigned an IP. Then it tries to connect again (the icon is waving), then fails again. No other authentication is affected, and a quick look in the logs doesn't show anything salient.
  On the other user account, the connection to either of these SSID works as written, on the first try.
  So it's no hardware issue.
  I first tried to create a new wireless profile, and recreate the connection. It failed, once again, for both networks.
  So to the Genius Bar I went. Since it's a login issue, we deleted the ~/Library/Keychans/login.keychain item, rebooted. Since the issue couldn't be reproduced in store, he advised me to delete the "session" keychain and reboot if the problem persisted. He asked me if the computer crashed while I was logged in anywhere in the past (before 10.6.5), and yes I said, adding that I let AppleJack do the automated repair. He checked with a colleague, on a tech forum, spent 30 min with me, but came back with the dreaded conclusion that, at least in that store, they ended up doing what he named "partial restore" to correct a similar issue, in contrast to "archive and install".
  Off to the uni I went, and recreating the connection failed again. In the Access Keychain, I then removed the session keychain, with both the references and files (default is reference only), since they referred to passwords I already knew, rebooted, logged in, and tried to connect, to no avail. The other user account still works.
  What else should I try? Ironically enough, I reinstalled OS X more times in two years than I did Windows in eight, and want to avoid the time-consuming step of reinstalling applications, and the very tricky part - ownership issues - of manually importing documents and only selected settings.

  I was chasing a similar authentication issue on OS X ≥ 10.5.8 for quite some weeks. My setup does use MS 2008 Server (AD, NPS, Radius) and SonicWall SonicPoint (multi SSID on VLAN).
  When I started evaluating the different options, I didn't realize such issues But when it came to the final usage guidelines I had serious issue connecting with Mac OS X to the WPA2 Enterprise Network (BlackBerry and iOS was never an issue)!
  I finally did work out, that you can only authenticate once successfully if you use the "Ask to join networks" popup - instead I had to select the network manually from the airport, provide my credentials and select "remember this network"to store the network and it's radius profile! I guess this behavior may have something to do with the credentials stored/reused in/from the keychain for the second login.
  Also, I did notice you have to make sure you quit your system preferences each time you expect a change due to newly stored networks or radius profiles!
  Hope this may help other users to troubleshoot similar issues!

• Connecting Z10 to WPA2-Enterprise Wifi

  Haloo...
  Please help by giving any clue to connecting Blackberry Z10 to Office Wifi which is using WPA2-Enterprise security type.
  Thank you in advanced
  Regards,
  Tri Harnoko

  Hey harnoko,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  When adding a Wi-Fi network, change the security type to WPA2-Enterprise and fill out the required security information.
  Do you receive any specific errors when adding the Wi-Fi network?
  Let me know if you have any more questions.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• Administrative credentials when adding a WEP/WPA/WPA2 Enterprise wifi profile?

  Hello,
  Why do users need to provide administrative credentials when they install a configuration profile containing installation of a WEP Enterprise or WPA/WPA2 Enterprise Wifi-profile? This is not the case when installing a Wifi-profile usning standad WEP, WPA or WPA2.
  Is this a bug? It confuses users with user profiles when they need to confirm the installation with administrative credentials.

  I don't know the answer to your question. Maybe you can find something here:
  http://training.apple.com/pdf/WP_8021X_Authentication.pdf

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• WAP4410N width Security-Mode WPA2-Enterprise and WDS-Repeater

  Hi,
  i have two WAP4410N with same Firmware 2.0.7.4. One Configured as AccessPoint with "Allow wireless signal to be repeated by a repeater." and correct MAC of the repeater.
  The Repeater has same settings (WPA2-Enterprise, both WAP4410N in B/G/N-Mode) configured as "Wireless WDS-Repeater" width correct MAC of first AP.
  Problem is, that the Repeater does not repeat anything, nothing in the logfile. Are my settings correct or should i use "Wireless Client/Repeater" in my case. Does WAP4410N support Repeating in WPA2-Enterprise?
  Thanks for your assistance

  A dumb question first of all - when you entered the mac address to repeat, did you use the wireless rather than the wired mac address?
  I also found that enabling http (wireless) access to the wap4410n repeater and then disconnecting the wired connection to the wap4410n ap helped set things up better.
  If you search these forums I uploaded beta firmware that works much better than the one you're using. Alternatively you could use wap encryption, it seems that using wpa2-personnel is what messes up the firmware you're using.