No 'Use System Certificates' in wifi settings - Samsung Galaxy S9+ Questions & Answers

Hi,
I am connecting to my university's wifi and I am unable to use their settings. From their settings, I am to choose PEAP for EAP Method. MSCHAPV2 for phase 2 authentication and Use System Certificates for CA Certificate however my phone only gives me the options of Select Certificate and Do Not Authenticate.
Is there something I haven't installed or am I missing something.
Thanks

Did you solve this? I'm having the same

No, still haven't figured it out. Been working by using do not authenticate.

I'm monitoring this thread daily - I have to settle for a "guest" connection at my work (College) until a system cert. option becomes available - it is tremendous pain logging in all the time etc... I'm surprised this issue isn't more prevalent. This seems to be the only thread with this issue raised.

I am having the exact same issue with my university wifi login

I've also been having this exact issue trying to login to my Universities wifi really stressing me out. Hopefully a solution is found soon

Problem solved
Hi there,
I encountered exactly the same problem on my S9 and have solved it now. The problem is the system certification is not installed on our devices. The solution is quite simple. Just download and install the App "eduroam CAT", and then it will automatically search for the eduroam of your university. After inputting your user name and password, it will automatically download the required certification and directly connect to the eduroam network. Hope this helps.

doubledou said:
Hi there,
I encountered exactly the same problem on my S9 and have solved it now. The problem is the system certification is not installed on our devices. The solution is quite simple. Just download and install the App "eduroam CAT", and then it will automatically search for the eduroam of your university. After inputting your user name and password, it will automatically download the required certification and directly connect to the eduroam network. Hope this helps.
Click to expand...
Click to collapse
unfortunately i've tried that and its still not working. Glad to hear your wifi is working however

doubledou said:
Hi there,
I encountered exactly the same problem on my S9 and have solved it now. The problem is the system certification is not installed on our devices. The solution is quite simple. Just download and install the App "eduroam CAT", and then it will automatically search for the eduroam of your university. After inputting your user name and password, it will automatically download the required certification and directly connect to the eduroam network. Hope this helps.
Click to expand...
Click to collapse
Thanks! Worked for me on Galaxy A7 2017 on Android 8 (where the option "use system certificates" doesn't exist) when connecting to Eduroam on the University of São Paulo.

ssadtru said:
Hi,
I am connecting to my university's wifi and I am unable to use their settings. From their settings, I am to choose PEAP for EAP Method. MSCHAPV2 for phase 2 authentication and Use System Certificates for CA Certificate however my phone only gives me the options of Select Certificate and Do Not Authenticate.
Is there something I haven't installed or am I missing something.
Thanks
Click to expand...
Click to collapse
Can the IT department for the school provide you with a downloadable certificate file so you can choose that?
This is something they should be able to do (provided they know how)

I have an S9 and the same problem. I solved it as follows:
Since my university doesn't say where to download the CA certificate, I went to my Windows 10 laptop that was logged in to the WiFi of the uni because I think it gets downloaded when I connect with Windows (or maybe Windows asked me to confirm the certificate?).
I exported (using binary format) the CA certificate - "thawte" was the issuer
I emailed it to myself, and from my email on my phone, saved the attached certificate to Android's file system.
I imported/installed the certificate in the Android 8 system.
Finally, I chose it (it appeared in "CA Certificate" drop-down menu) when signing in to WiFi
My theory is that often University IT departments outsource WiFi to third-party companies whose main goal is to make them easy to use on Windows/MacOS. Since many people don't have the latest Android (8), they don't understand what is going on.
Ideally, the IT folks should tell you where to download the certificate (so you won't have to export it from another PC), as in the explanation given at the University of Illinois (Google the text "How to manually set up IllinoisNet on the Android OS" since XDA won't let me post links).

how were you able to find out which certificate was tied to your uni's wifi? i finally got all of the other steps down, but finding out which one is relevant is still hard for me to do.

My university advertises cat.eduroam.org as solution for no certificates. Haven't tried it myself, as I didn't need it, but worth a shot.

After upgrading to Oreo on my S7, I was having the same problem for both my Uni's wifi and with eduroam. I solved it in a similar way as TheFuhrmanator. Make sure you've connected to Uni's wifi on your Windows 10 laptop at least 1 time to make sure the connection works.
Go to the Windows 10 Certificate manager (Start -> type 'certificate' -> Manage Computer Certificates)
Expand the folder Trusted Root Certification Authorities -> Certificates
Right click USERTrust RSA Certification Authority (and maybe AddTrust External CA Root) and export them to DER Encoded Binary format. I found the exact ones to export from https://it.umn.edu/wifi-windows-10-setup-guide
Copy the exported files to phone
On phone, go to Lock Screen and Security -> Other Security Settings -> Install certificates from storage (select the option to use the certificate for WiFi)
Connect to eduroam and select USERTrust RSA Certification Authority or whatever you named it

Process that we have worked out for certificate installation and connection
This isn't eduroam-specific, but our organization created this documentation, at wifi.lihc.on.ca with the installation process. We created a PEM-encoded ".cer" for our particular certificate chain, including the root and the two other required chained certificates.
The process is relatively painless, all things considered, but still an unnecessary step where the device already has the certificate installed.

I don't have "USERTrust RSA Certification Authority" only "AddTrust External CA Root"

Hello there
Just in case anyone still has this problem. I figured it out for my specific case with both the CAMPUS and EDUROAM networks at my university. The wifi network configuration required me to select for both cases:
EAP method: PEAP
Phase 2 Authentication method: MSCHAPV2
CA certificate: Greyed out and set to "Use system certificates"
Online certificate status, Choose : DO NOT VALIDATE
Even after I typed the username and password, the connect button would be disabled and I was always requested to provide a domain address, otherwise I would not be able to connect. So I downloaded the CA certificate configuration provided at https://cat.eduroam.org/# for my school in Canada. The file you download does not do anything in android so "double-click" gives no joy . Now, my aha! moment came when I opened the file on a texteditor, somewhere around all the encrypted gibberish you will see something that says:
</CA><ServerID>xxxx.yyyy.zzz</ServerID>
I suppose that would be the certificate authority address for my school. So, I added this address in the domain address and voilá! Connect button enabled and connection working all good for both cases. I hope this gets helps whomever now. Important to mention, I found this post looking for the problem but now I have a Google Pixel 5, but I'm sure the solution will work with any android phone.
----EDIT----
I just realized something else. I noticed someone said they will just keep using the GUEST network at their school even if it meant logging in everyday which is pretty stupid and annoying at this point in time. IN MY CASE, when tried the GUEST school network as a likewise temporary solution, I would be redirected to the school's wifi portal for authentication. It turns out, this portal has the same address as the CA authority (https://xxxx.yyyy.zzz/WHATEVER?STUFF......).
My point being, if your case does not involve EDUROAM of any form to allow you to get a config file and see the CA authority address, well, it stands to reason that it is the same server for both CAMPUS and GUEST networks used for authentication. At least is worth the try this address if you are out of options.
Cheers!

Flogisto said:
Hello there
Just in case anyone still has this problem. I figured it out for my specific case with both the CAMPUS and EDUROAM networks at my university. The wifi network configuration required me to select for both cases:
EAP method: PEAP
Phase 2 Authentication method: MSCHAPV2
CA certificate: Greyed out and set to "Use system certificates"
Online certificate status, Choose : DO NOT VALIDATE
Even after I typed the username and password, the connect button would be disabled and I was always requested to provide a domain address, otherwise I would not be able to connect. So I downloaded the CA certificate configuration provided at https://cat.eduroam.org/# for my school in Canada. The file you download does not do anything in android so "double-click" gives no joy . Now, my aha! moment came when I opened the file on a texteditor, somewhere around all the encrypted gibberish you will see something that says:
</CA><ServerID>xxxx.yyyy.zzz</ServerID>
I suppose that would be the certificate authority address for my school. So, I added this address in the domain address and voilá! Connect button enabled and connection working all good for both cases. I hope this gets helps whomever now. Important to mention, I found this post looking for the problem but now I have a Google Pixel 5, but I'm sure the solution will work with any android phone.
----EDIT----
I just realized something else. I noticed someone said they will just keep using the GUEST network at their school even if it meant logging in everyday which is pretty stupid and annoying at this point in time. IN MY CASE, when tried the GUEST school network as a likewise temporary solution, I would be redirected to the school's wifi portal for authentication. It turns out, this portal has the same address as the CA authority (https://xxxx.yyyy.zzz/WHATEVER?STUFF......).
My point being, if your case does not involve EDUROAM of any form to allow you to get a config file and see the CA authority address, well, it stands to reason that it is the same server for both CAMPUS and GUEST networks used for authentication. At least is worth the try this address if you are out of options.
Cheers!
Click to expand...
Click to collapse
I'm working to resolve this for my university. What CA file are you referring to, here? The certificate does not contain a ServerID tag, and our university does not issue certificates from this eduroam page.

Related

Solution: PEAP authentication without server certificate validation!

I struggled for several days to get my 8525 (Cingular 1.34) to authenticate either PEAP or LEAP against my work network. I never did figure out how to get LEAP to work, but I did get PEAP going. I've added a new section to the wiki http://wiki.xda-developers.com/index.php?pagename=Hermes_Registry covering how to disable checking of the authentication server's certificate.
We didn't pay the $$$$ for a commercial certificate, so on all our XP clients we uncheck the "Validate server certificate" option....no such beastie on Cingular 1.34 at least. Turns out there's a reg key one can add to disable the validation:
Code:
\HKLM\Comm\EAP\Extension\25\ValidateServerCert=dword:00000000
does the trick.
Hope this helps someone else trying to get PEAP to work with their WiFi!
Note also that connectivity to our Cisco APs seem to work MUCH better when I slide the WiFi PowerManagement slider over to performance. My cheapo D-Link router works fine at any setting, but the Ciscos seem to drop packets right and left with power management happening.
Richard
Humm sounds interesting, but I am not sure that I understood everything.
First, are you sure that you are talking about PEAP auth with certs and not just EAP-TLS? The registry path refers to ...\EAP\...
Secondly, why not just add your CA as trusted CA on your PPC? It seems to be the way to go in your case.
fun_key said:
Humm sounds interesting, but I am not sure that I understood everything.
Click to expand...
Click to collapse
That's Ok, I'm *SURE* I don't understand everything!
fun_key said:
First, are you sure that you are talking about PEAP auth with certs and not just EAP-TLS? The registry path refers to ...\EAP\...
Click to expand...
Click to collapse
I'm sure only in that my IT guy swears we only support PEAP and he could see my authentication failing until I added the switch and now he sees me authenticating PEAP successfully.
fun_key said:
Secondly, why not just add your CA as trusted CA on your PPC? It seems to be the way to go in your case.
Click to expand...
Click to collapse
I agreed, but I think IT wants to leave their options open for future certificates open. If I hadn't been successful with this, that was going to be my next try.
Richard
5 hours of searching and you had the solution!
thanks
rb2k said:
5 hours of searching and you had the solution!
thanks
Click to expand...
Click to collapse
Glad to be of assistance! FWIW, this also works with the 2.15 Cingular ROM.
Richard
rsolomon said:
I struggled for several days to get my 8525 (Cingular 1.34) to authenticate either PEAP or LEAP against my work network. I never did figure out how to get LEAP to work, but I did get PEAP going. I've added a new section to the wiki http://wiki.xda-developers.com/index.php?pagename=Hermes_Registry covering how to disable checking of the authentication server's certificate.
We didn't pay the $$$$ for a commercial certificate, so on all our XP clients we uncheck the "Validate server certificate" option....no such beastie on Cingular 1.34 at least. Turns out there's a reg key one can add to disable the validation:
Code:
\HKLM\Comm\EAP\Extension\25\ValidateServerCert=dword:00000000
does the trick.
Hope this helps someone else trying to get PEAP to work with their WiFi!
Note also that connectivity to our Cisco APs seem to work MUCH better when I slide the WiFi PowerManagement slider over to performance. My cheapo D-Link router works fine at any setting, but the Ciscos seem to drop packets right and left with power management happening.
Richard
Click to expand...
Click to collapse
Do you know how to do this on WM6.0? The option isn't there. Attached is what I see.
ranger47 said:
Do you know how to do this on WM6.0? The option isn't there. Attached is what I see.
Click to expand...
Click to collapse
Create the same registry key- it wasn't there in WM5 either. I can confirm that this works on my Tilt/Kaiser running WM6.
Richard
rsolomon said:
Create the same registry key- it wasn't there in WM5 either. I can confirm that this works on my Tilt/Kaiser running WM6.
Richard
Click to expand...
Click to collapse
I guess I missed the "add" part. Anyways, it connects but is VERY unreliable. Whenever I turn on the device it makes me type in my password even though it is stored or just doesnt work. If it doesn't work I go into the settings and a lot of times the "Use IEEE 802.1x" is unchecked or the EAP type is changed to smart card. Sometimes even still it doesn't work until I reboot or disable and reenable wifi. Even then it doesn't always work. Anyone else having similiar problems?
ranger47 said:
I guess I missed the "add" part. Anyways, it connects but is VERY unreliable. Whenever I turn on the device it makes me type in my password even though it is stored or just doesnt work. If it doesn't work I go into the settings and a lot of times the "Use IEEE 802.1x" is unchecked or the EAP type is changed to smart card. Sometimes even still it doesn't work until I reboot or disable and reenable wifi. Even then it doesn't always work. Anyone else having similiar problems?
Click to expand...
Click to collapse
Not sure you're really fighting the PEAP certificate problem then. Note also that our Cisco APs don't like the power management setting on anything other than high performance.
Richard
rsolomon said:
Not sure you're really fighting the PEAP certificate problem then. Note also that our Cisco APs don't like the power management setting on anything other than high performance.
Richard
Click to expand...
Click to collapse
Thanks for the reply! So under WLAN - Power Mode - Best Performance? That is what I have it on. Pretty weird... I am using it right next to my laptop which has an "excellent" connection. My Hermes shows 2-3 bars. Any other ideas?
Hi
I ve bought a HTC Tornado(TMobile SDA-unlocked)with Windows Mobile 5 smartphone to take advantage of our WiFi network. I am having problems setting up my WiFi connection and i cant find a solution..please help me...
When using my laptop wifi connect I set up the following
My network name (SSIDD) - Utech-Students
Network Authentication OPEN
Data Encryption WEP
key is automatically provided (i tick this option)
Enable IEEE 802.1x authentication for this network
EAP Type as PEAP.
Then under configuration of PEAP I uncheck Validate Server
Certificate and authentication method selected as "Secured password (EAP-MSCHAP v2) and "enable fast reconnect" is also ticked.
With these settings it works perfectly well in laptop.
But with these settings made in the SDA phone it gives the following error msgs ;
"The server certificate is issued by an unknown authority" and
"Cannot log on to the wireless network. This network requires a personal certificate to positively identify you."
I NEED HELP DESPERATELY ...
Please note that i am not a computer savy...so please help me to
understand the things what i am supposed to do.
Awaiting to hear from you ...thanking you in advance
SDA said:
Please note that i am not a computer savy...so please help me to understand the things what i am supposed to do.
Click to expand...
Click to collapse
I'm sorry, do you mean to say that you found this thread and have not tried what's here or ?????
Richard
Hi, i ve bought a HTC Touch and despite i created the dword value you mention in this thread i still have the same problem.
Does anyones has the same problem with wm6?
Thanks
spern said:
Does anyones has the same problem with wm6?
Click to expand...
Click to collapse
Same value confirmed working with WM6 on the TyTNII/AT&T Tilt. Note that it *ONLY* solves the one type of problem described here....
Richard
Worked on Dash (WM5) Not on 8525 (WM6)
spern said:
Hi, i ve bought a HTC Touch and despite i created the dword value you mention in this thread i still have the same problem.
Does anyones has the same problem with wm6?
Thanks
Click to expand...
Click to collapse
I am. I added the key on both a Dash running stock WM5 and an 8525 running Schap's 4.31 ROM and it only works on the Dash - same wifi config on both connecting to the same network.
Now after days of reading i found a solution for all the devices that couldnt connect with the modified reg-key(HKLM/COMM/EAP/EXT....ValidateServerCert) to a wpa and eap-mschap secured wlan.
To enable the eap-options you have to install the securew2 client. Once you had installed you can choose for authentication method one of the securew2 has provided(this is where you see PEAP and 802.1X) in the WLAN Connections. Just select the TTLS method and disable the outer authentication and the certificate validation in the options. Now you can select EAP and MS-chapv2 in the authentication tab of the securew2 client. and at least you can sign in here your name,password and domain. You can also set an Profile with your settings in the Securew2 client.
This Solution has worked for me on a HTC Touch Cruise(XDA-Orbit-2).
Hello,
I have the problem of logging in a secured network, and I found the solution
here of adding the registry value. I am working with WM 6.1.
Maybe my question is a stupid, but I don't understand what exactly I have
to add - A key named "ValidateServerCert", and to set it's default value to 0,
or to create a Value named "ValidateServerCert" onder the key "25", make it
DWORD type, and give it the value of 0...
What should I add?
Thanks!
Hello this is a sirious problem I think,
I wasnt able to get this going...
I tried the reg key method (but I am not sure if I did this correct)
and I installed the w2secure client (didnt work either)
so further explanation is required(PLEASE)
sorry if this post doesnt sound very polite but I did my best ^^
btw. I dont own a Hermes but a Touch Diamond with WinMo 6.1
Richard,
Great call. Spent a couple of hours trying to configure my touch pro to stop asking for a personal certificate with no joy. Upping power save mode to 'best performance' allowed it to authenticate straight away. Once this was done, dropped it to best battery and everything seems to work fine (famous last words of course).
Hello all. I have a cingular 8125 and found the same problem with the wifi access. I am new to total commander and I understand the process, however I do not know how to create the registry listed above to correct the problem. Any help with the program would be great, thanks.

[Q] New question... Do any of the ROMs support Proxy wifi settings?

I didn't get much response on my previous question about proxy support for the stock rom, so I was wondering if any of the alternate roms include it. I would very much like to have access to the internet at work, but the school district requires loggon through a proxy server (content filter) before you can access the WiFi network. I realize that port restrictions that the district places on the network will likely prevent me from accessing the market, gmail, or voice search. But at school, I would most like to just access flash based educational website for kids.
Any thoughts on this? The district is moving toward ipads as the tablet platform of choice because of the lack of proxy support with Android. But the ipads lack of support for flash really hinders what I want a tablet to be able to do for me. (Yes, I want my cake and eat it too!) Is this too much to ask?
I connect my gtab to my schools wirelesss that is using 802.1x EAP for wireless security. I had to install a mod that changed the settings app and allowed advanced wireless settings. That allowed me to put in the authentication type, domain name, password, etc. Once connected, I ran a mod that set it back to the original settings apps. I asked in your previous post as to whether you are having problems actually getting on the wireless or once on, you can't bet by the web filter. We use websense here. Once I got on the wireless, there was an websense authentication dialog that popped up. Once I put my domain\username and password in, it works fine.
It won't even let me connect to the district network because I don't have anywhere to enter the proxy settings in the wifi set up box.
Assuming you have Pershoot's or Clemsyn's Kernel (or one of the better ROMs), you need something like ASProxy. I use it at work all the time and it does the job. There is a free program called TransParentProxy which is more limited but does allow you to quickly test settings without spending any money.
I do not see a proxy settings in the wpa_supplicant.conf file. My understanding of this file is it lists all possible settings settings available for Wi-Fi configurations.
# This file describes configuration file format and lists all available option.
Click to expand...
Click to collapse
Previously I've only needed to access a proxy after connecting to the network. Perhaps you have run into a problem getting connected to your network using the tablets Wi-Fi settings manager. So connecting to the network might be your first step and then connecting to the proxy your 2nd.
I found the free Wifi Advanced Config Editor (WifiACE on the Android Market) to have a GUI to easily configure advanced Wi-Fi settings not found in the tablet's settings. I realized when trying to set up an advanced configuration I needed to create a new connection in the tablets WiFi Settings with the security of NONE to avoid having some of the wrong settings configured by default. Then using the information from the my network admin I manually set the options via the WifACE GUI, un-checking NONE, and bingo I got connected.
I recommend WiFiACe with one caveat: make sure you have a way (like adb) working and know how to backup, delete, and restore files and that you make a back up of all wpa_supplicant.conf files on your tablet.
My caveat comes because my first reboot after I got connected to the Enterprise network at work the Wifi would not start or run. It would only display "error" and do nothing. Several reboots later it still wouldn't start and without Wi-Fi running there is no way to make configuration changes either through WifiACE or the tablets Wi-Fi Settings. I had to use the adb shell to delete the newly configured wap_supplicant.conf and create a new connection via the tablets Wi-Fi Settings and then make the necessary changes through WifiACE. Once that was done it ran and connected. Now after multiple reboots it still works and connects. Without the ability to delete the file I'm afraid I would have had to re-flash my tablet to get Wi-Fi to work again.
I don't think you've ever mentioned what ROM you're running. If you're running stock, you will have a very difficult time, in fact it may be impossible. If you're running a different mod, there's hope. Now, assuming that you got ClockWordMod (CWM) installed, you can probably be successful in at least connecting to the wireless. If you don't have CWM installed, here's a good place to start:
http://forum.xda-developers.com/showthread.php?t=865245
Once you have CWM installed, go to this thread:
http://forum.xda-developers.com/showthread.php?t=857939
This will give you the zips for installing a differernt wireless config tool that will allow you to put in the 802.1x EAP config. Once you can successfully connect, you back out the the tool you installed.

[SOLVED] touchpad 802.11X enterprise+certificate wifi connectivity

One of the corner cases it seems HP did not design into webOS is the ability to auto negotiate a full 802.11X connection. I managed to fix this though and my touchpad is happily connected to our office wi-fi and I figure anyone else trying this might want to check out the workaround I managed.
When I attempted to configure my touchpad to connect to an office/enterprise access point, I hit a brick wall where after completing all the required steps. It was able to use the current user credentials and get to the access point itself, but failed out with a "warning, no certificate is found for this network, please contact your network administrator" type of message.
Well of course no one in our IT group had ever so much as seen WebOS and ultimately I was left to fend for myself.
The goal here is to successfully transfer the (normally auto-retrieved) 802.11X signing certificate to the touchpad so that it can properly connect to your corporate/enterprise wireless network. On other devices such as android this seems to all be automated, but on the touchpad a significant amount of manual arm-wringing was needed to get it to all work together.
Step 1: Getting a root security certificate for your company.
There are a few guides out there for various operating systems/devices which you can use. Since my office machine was windows 7, thats what I have direct experience with.
Win7 Has a built in certificate management tool, but it is not listed in any of the menus. To get to it, enter certmgr.msc into the run panel and it will open up this handy dandy little tool.
Once you have that tool open, look into the root certificate authority folder and find your company's enterprise certificate. Hopefully it will be fairly easy to spot, i.e. if you work at company with domain X, you should see something like "X Enterprise CA".
Right click this certificate and select "All Tasks->Export" which will bring up a wizard with a few different certificate formats. After much trial and error, I found that the only one the touchpad seemed to natively understand was the "Base-64 encoded X.509". Finish the export with a file name and you can find it in your default user folder.
Step 2: Transfer this file to your touchpad
This one is a no brainer, just connect the touchpad via usb to your machine where you have this file, and drag it over.
Step 3: Importing the new certificate
All you need here is any webos file manager capable of opening a file. I used Gemini File Manager, but several free ones are also available and should work.
Open the file manager app on your touchpad, and run that certificate file. This will open a certificate manager tool on the touchpad and prompt you to trust this new certificate. Once you select to trust it, it will be brought into the system and available to use for 802.11x authentication.
Step 4: Connecting to the network
At this point all you should have to do is connect to the office wireless that was giving you trouble before, and now after giving all your authentication info it should successfully connect and offer full connectivity
It seems a little convoluted but it is awfully nice to have the touchpad be fully on-line and available around the office and you only have to do it the one time, successive connections should all just work.
I've tried this at my University, but it doesn't work for my exact situation. Hopefully it will work for others too. Kudos for figuring it out! As for me, apparently WPA2 Enterprise PEAP MSCHAPV2 is a no go until the WebOS team will update/fix it....
I managed to get connected to my MS corp wireless, but will actually see if I have network connectivity a bit later (and update this thread).
its given me full connectivity here (I'm writing this on my touchpad on the enterprise WiFi right now). Its also worked for several other people here lucky enough to score one as well.
the biggest sticking point was getting the right certificate in the right (touchpad working ) format. Once I managed to get that file simply sending it around helped everyone else here get going in a couple minutes vs a couple hours it took when I was trying to sort it all out.
We use 802.1x at work without server certs. Just peap and mschap v2. I haven't had any luck connecting though. Anyone else been able to?
Looks like PEAP support is a major sticking point.
There's a tutorial here: http://www.webos-internals.org/wiki/Advanced_Wifi
(I changed some of the script as per the thread I got the link from here: http://forums.precentral.net/hp-touchpad/288229-wifi-enterprise-802-1x.html)
I tracked down the ARM wpa_supplicant package here: http://packages.debian.org/squeeze/armel/wpasupplicant/download
And the libreadline.so.6 package here:
http://packages.debian.org/squeeze/armel/libreadline6/download
.DEB packages just have .TAR files inside them so I extracted what I needed using 7Zip and used WebOSQuickInstall to copy the files to the TP.
Even after following the other directions though, I consistantly get an error saying:
Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory
Not having much luck...
what's odd is our network looks like it does have peap set but with this certificate its working on the touchpad just fine.
it uses our exchange login info with a slightly off domain but even that has not thrown it.
The exact network configuration visible in the windows properties for the wireless link here is as follows:
Security: WPA2-Enterprise
Encryption: AES
Network Authentication: PEAP
Validate Server Certificate
Secured Password (EAP-MSCHAPv2) (Automatically use windows login/pass/domain)
Fast Reconnect
I haven't had luck with anything so far.
Is anyone willing to make a patch to fix the MSCHAPv2 problems? I'm willing to donate to your cause if I can my TouchPad to connect to my school's wireless, as it's essentially useless right now.
The network here uses WPA-Enterprise (not WPA2), and PEAP with password authentication only (no cert needed - as far as I'm aware it doesn't issue one to the phone).
I managed to get the TP to say "no network with that name and security method" found when I had the protocol set to IEEE801X, it doesn't do it when I set it to WPA-EAP though.
Essentially, using (what I believe to be) the exact same settings that work with my SGS2, doesn't work with the TouchPad.
It looks like at best the enterprise stuff is kinda half baked. If you need a certificate, webos is capable of *using* one, but not generating it. If its non certificate based, it seems to just fail out entirely.
Have you guys who are having the failures had luck with other devices like laptops etc? if so, what are the settings used to establish that successful connection? It seems like the touchpads are *capable* of mantaining peap/mschapv2 connections, as that is the setup my office uses, but for some reason without the certificate requirement it just is glitching out and won't establish the connection in the first place
eltee said:
It looks like at best the enterprise stuff is kinda half baked. If you need a certificate, webos is capable of *using* one, but not generating it. If its non certificate based, it seems to just fail out entirely.
Have you guys who are having the failures had luck with other devices like laptops etc? if so, what are the settings used to establish that successful connection? It seems like the touchpads are *capable* of mantaining peap/mschapv2 connections, as that is the setup my office uses, but for some reason without the certificate requirement it just is glitching out and won't establish the connection in the first place
Click to expand...
Click to collapse
My Windows7 laptop and my WP7 Samsung Focus both securely connect to the network fine. My TouchPad is the first device I've ever heard of having issues connecting.
Hell, my roommate even has his PS3 and XBOX connected.
Thanks OP! Method works on Swansea University Eduroam.
bump now that we have a 3.03/04 update
anyone know if it worked?
Installed the WiFi Certificate but still no luck.
Any other workarounds out there?
Just updated (manually) to the leaked 3.0.3 version and it's resolved the Enterprise Wifi connection issue.
Confirmed, my WiFi works. Enterprise mschapv2 PEAP without certificate. 3.0.3. Now I can leave my laptop at home and use splashtop if I need anything.. *rock on*
I can also confirm that the certificate issue has been solved in 3.03, but now I can't set a proxy, has anyone been able to?
PEAP/MSCHAPv2 fixed with "official" 3.04 OTA too
PEAP/MSCHAPv2 authentication has stayed fixed with the official 3.04 OTA update.
I've just checked that I can connect to an eduroam connection configured this way at a UK university, which the TouchPad couldn't do before.
professordes said:
PEAP/MSCHAPv2 authentication has stayed fixed with the official 3.04 OTA update.
I've just checked that I can connect to an eduroam connection configured this way at a UK university, which the TouchPad couldn't do before.
Click to expand...
Click to collapse
awesome news, I will be testing mine out today when I get to school.
update: I was able to connect at my school, but I had to uncheck the cert box to get it to work.
Yup, i removed my custom certificate on 3.04 and re-joined the access point. It had some new options about authentication built in and sure enough just worked, no issues.
Looks like the little crazy work-around won't be needed anymore

[Q] Can Android block bad Wi-Fi certificates?

I'm setting up WPA-Enterprise authentication for my company's wireless network, and I've hit an annoying snag: Android will happily connect to any access point with the company's SSID, and send its login credentials, regardless of whether the server's certificate is valid or not. I'm using FreeRADIUS and PEAP with MS-CHAPv2, for those who know what that means.
Basically, any nasty person could rock up outside our front door with their own Wi-Fi access point, RADIUS server, andf self-signed certificate. They could then just sit there and collect password hashes* as the phones inside the building try to authenticate against the attacking system.
Is there any way of making these devices actually verify the certificates they see?
*Not technically correct I know, but still crackable.

Question Problem with Enterprise WiFi - Android 12

Hi,
Can someone help me with this problem.
Since I updated my Xperia 1 III this morning, I can't connect to my two different Enterprise WiFi networks.
WiFi window ask me for a domain name, but our IT admin doesn't know anything about it.
Without domain name, my connect button is greyed out, can someone help me to fix this without rooting my phone?
PURPOSE OF DOMAIN FIELD WHEN CONNECTING TO WIFI 802.1X (PEAP) ANDROID 11 PIXEL - Google Pixel Community
Does this help? I just googled abit so Im not too sure about your issue. You can also show this to ur IT admin maybe he will understand it better.
hotcakes_shinku said:
PURPOSE OF DOMAIN FIELD WHEN CONNECTING TO WIFI 802.1X (PEAP) ANDROID 11 PIXEL - Google Pixel Community
Does this help? I just googled abit so Im not too sure about your issue. You can also show this to ur IT admin maybe he will understand it better.
Click to expand...
Click to collapse
Thank you for your answer.
Unfortunately this can't help me, because my company isn't using "freeradius".
I spent whole day on Google trying to find fix or temporary solution.
almirsahbaz said:
Thank you for your answer.
Unfortunately this can't help me, because my company isn't using "freeradius".
I spent whole day on Google trying to find fix or temporary solution.
Click to expand...
Click to collapse
Domain issue: the domain is the url name of the SSL Certificate.
Click to expand...
Click to collapse
The "freeradius" here is just an example. You need the url name of the SSL certificate that your company uses. It doesn't need to be freeradius
hotcakes_shinku said:
The "freeradius" here is just an example. You need the url name of the SSL certificate that your company uses. It doesn't need to be freeradius
Click to expand...
Click to collapse
Thank you for answering.
I know that, but my company doesn't know what their domain server is.
almirsahbaz said:
Hi,
Can someone help me with this problem.
Since I updated my Xperia 1 III this morning, I can't connect to my two different Enterprise WiFi networks.
WiFi window ask me for a domain name, but our IT admin doesn't know anything about it.
Without domain name, my connect button is greyed out, can someone help me to fix this without rooting my phone?
Click to expand...
Click to collapse
I suspect you normally would use your account credentials to connect to the WiFi network?
Normally the domain name ist something like "your-company.com" or "your-company.local" (even if .local wouldn't be the best choice).
If so you could look for "EAP-Method" and change the value to "PWD". There you can enter your credentials which you normally use to lock in into your User-Account.
Hudrator said:
I suspect you normally would use your account credentials to connect to the WiFi network?
Normally the domain name ist something like "your-company.com" or "your-company.local" (even if .local wouldn't be the best choice).
If so you could look for "EAP-Method" and change the value to "PWD". There you can enter your credentials which you normally use to lock in into your User-Account.
Click to expand...
Click to collapse
My Enterprise WiFi network requires PEAP method.
I tried with PWD value, but it won't work.
If PEAP is the thing then you will need to provide a certificate, the domain name of the WLAN Controller... Basically everything all that the posts beforehand suggest.
When you were connecting prior android 12 to this network, what did you need to submit? Just some credentials? Certificates? That's something your admin should be able to tell...
Hudrator said:
If PEAP is the thing then you will need to provide a certificate, the domain name of the WLAN Controller... Basically everything all that the posts beforehand suggest.
When you were connecting prior android 12 to this network, what did you need to submit? Just some credentials? Certificates? That's something your admin should be able to tell...
Click to expand...
Click to collapse
This is what I needed:
EAP method: PEAP
Phase 2 authentication: MSCHAPV2
CA Certificate - Do not validate (this option is now removed, and now asks for domain, which needs to be put in)
Identity: My e-mail address
Anonymous identity: Blank
Password: My password
And that was it, I was successfully connecting to this network for a years.
Well you can try to fill in the last part of your email addresses for domain - so everything after the "@".
As written in one of the guides, normally you would enter the domain address of the authentication server / the common name which is part of the certificate of the server...
Seems that some restrictions in Android12 got tighter and you are now not allowed to skip the certificate validation part. Might be that now that Android12 is going to be published more, your it will need to change some things...
Hudrator said:
Well you can try to fill in the last part of your email addresses for domain - so everything after the "@".
As written in one of the guides, normally you would enter the domain address of the authentication server / the common name which is part of the certificate of the server...
Seems that some restrictions in Android12 got tighter and you are now not allowed to skip the certificate validation part. Might be that now that Android12 is going to be published more, your it will need to change some things...
Click to expand...
Click to collapse
I'm using public hotspots from my internet provider, so I can't do that, because I'm using my @hotmail.com e-mail to access this network.
I contacted them, but they don't know how to set up a domain.
Okay... now i am a bit stunned.
You are using public hotspots (not related to your enterprise). To connect you are authenticate with the credentials that you have configured at a side of the ISP?
If the hotspot is provided by your ISP you will have to ask him about accessing and credentials for the WLAN and not your IT-Admin.
Hudrator said:
Okay... now i am a bit stunned.
You are using public hotspots (not related to your enterprise). To connect you are authenticate with the credentials that you have configured at a side of the ISP?
If the hotspot is provided by your ISP you will have to ask him about accessing and credentials for the WLAN and not your IT-Admin.
Click to expand...
Click to collapse
The thing is, I'm working for that ISP provider, so I asked their IT Admin, but I'm also their user and I'm using my private ISP account to access these hotspot locations
@almirsahbaz
Ahhhhhh - now that make sense for me. Thanks for clearing things up. Back to your problem:
It will get troublesome....
PEAP Authentication "normally" requires the authenticator (aka the Server, Wifi Controller... some referring to it as a RADIUS-Server - which can also be a "role" performed by another server; often used are Domaincontrollers ) to offer a certificate. Simple speaking: Kind of similar to webserver-authentication for https.
Your phone then "checks" the provided certificate on validity. This validation step was "skipped". Skipping isn't supported anymore. This started already with android 11 (depending on oem-implementations).
So your Admins will have to deploy certificates as mentioned above and provide them to you.
The "domain" field you are mentioning is used to select the certificate of the authenticator (for a user it is often easier to enter the proper name then select the certificate out of the certificate store an the device).
The thing for you is:
You can't do anything, as your admins will have to think about the whole process. So you won't be able to use the hotspots until there have been some changes made by the admins.
What you can do is to inform the admins on the changes that google made starting at Android 11
PSA: Android 11 will no longer let you insecurely connect to enterprise WiFi networks
The Android 11 update will break connecting to certain enterprise WiFi networks. Here's why and what you can do to fix it.
www.xda-developers.com
If they want to use PEAP further on with devices running Android 12, they will have to change something!
Hudrator said:
@almirsahbaz
Ahhhhhh - now that make sense for me. Thanks for clearing things up. Back to your problem:
It will get troublesome....
PEAP Authentication "normally" requires the authenticator (aka the Server, Wifi Controller... some referring to it as a RADIUS-Server - which can also be a "role" performed by another server; often used are Domaincontrollers ) to offer a certificate. Simple speaking: Kind of similar to webserver-authentication for https.
Your phone then "checks" the provided certificate on validity. This validation step was "skipped". Skipping isn't supported anymore. This started already with android 11 (depending on oem-implementations).
So your Admins will have to deploy certificates as mentioned above and provide them to you.
The "domain" field you are mentioning is used to select the certificate of the authenticator (for a user it is often easier to enter the proper name then select the certificate out of the certificate store an the device).
The thing for you is:
You can't do anything, as your admins will have to think about the whole process. So you won't be able to use the hotspots until there have been some changes made by the admins.
What you can do is to inform the admins on the changes that google made starting at Android 11
PSA: Android 11 will no longer let you insecurely connect to enterprise WiFi networks
The Android 11 update will break connecting to certain enterprise WiFi networks. Here's why and what you can do to fix it.
www.xda-developers.com
If they want to use PEAP further on with devices running Android 12, they will have to change something!
Click to expand...
Click to collapse
Thank you for your detailed answer.
I found possible solution for them online, and I sent that to them.
I guess this is what they need to do: "Radius server's certificate needs to contain a fully-qualified domain name (FQDN) in the Common Name field."
Basically they will need to implement PEAP as it was intended, yes
Hudrator said:
Basically they will need to implement PEAP as it was intended, yes
Click to expand...
Click to collapse
Thank you once again for all support that you have provided
Hi,
It's me again, I'm still wondering about this issue.
I found online that Android 13 implemented option "Trust on first use" for Enterprise WiFi network, which is available in drop-down menu for CA Certificate, but that feature is completely missing from my Xperia 1 III phone.
Is there some kind of trick to enable this option without rooting my phone?
almirsahbaz said:
Hi,
It's me again, I'm still wondering about this issue.
I found online that Android 13 implemented option "Trust on first use" for Enterprise WiFi network, which is available in drop-down menu for CA Certificate, but that feature is completely missing from my Xperia 1 III phone.
Is there some kind of trick to enable this option without rooting my phone?
Click to expand...
Click to collapse
Hi there,
this works on custom roms (im using alpha droid, its very nice i highly recommend)
Just today was the first time i was able to connect to server wifi but it meant using a custom rom which i am completely happy with. Good luck

Categories

Resources