• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2001
  • Last Modified:

Connect WM 6.1 (Samsung Omnia) WiFi to MS Domain using WPA2/AES/PEAP

Have a WM 6.1 smartphone with WiFi, corporate network (Cisco Aironet 1200) configured and functioning using WPA2/AES/PEAP.  When attempting to connect to this SSID and entering domain username and password, am unable to connect.  

Have already (on Vista machine on the network):
1) Exported (and successfully installed) the root authority cert for the domain
2) used certmgr to generate a new personal certificate for both EFS, Client Authentication and MS Trust List Signing, EFS, Secure Email, Client Authentication and successfully installed these on the smartphone.
3) Modified the HKLM/COM.EAP/Extension/25 key to include a new DWORD value of "ValidateServerCert' with a DWORD value of 0 (00000000) on the smartphone.

Still unable to connect.  Get the username and domain pop up, enter correct values, but unable to authenticate.

  • 5
  • 2
3 Solutions
Silly question, but are you using the 'domain\userid' format?
JohnValueAuthor Commented:
Good question:  I have tried all combinations (that I can think of)  username@domainname, domani\username, username alone, and all combinations of those in the userid field with domainname, and full domainname (including the @) in the domain field as well as leaving domain blank.  None allow a connect.
JohnValueAuthor Commented:
Any ideas at all would be appreciated, I have started from scratch on the phone but get the same results.  Maybe something in Active Directory?  Any ideas on a different certificate?  Any help is appreciated, and the points are now at 500.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

I would look at the event log on the RADIUS server (IAS?) and see what the errors are.
It might give you a hint.
JohnValueAuthor Commented:
Yes, mrnetbios, I think it is the RADIUS policy causing the problem. Great work.

Now, how do I create or modify my RADIUS policy to allow the Windows Mobile device?

My current RADIUS policy is:
NAS-Port-Type matches "Wireless - IEEE 802.11" AND
Windows-Groups matches "MyDomain\Domain Users;MyDomain\Domain Computers"

Windows Mobile devices can't join a Windows 2003 domain, correct? So, this policy condition requiring "Domain Computers" membership must be the problem.

What is unique about the device is its MAC address. Is there a policy condition for MAC address?

  because Windows Mobile computers aren't domain workstations as far as AD is concerned.  
But that should only come into play only if the WinMo stations were trying to do "machine" authentication.
(in that case they use their workstation names as usernames, how they authenticate to the domain)
Otherwise this is a simple remote authentication and the Username value presented is what's checked.
If the "domain\" is not present it's assumed to be the server's domain.

There might be something about the cert that is still not being satisfied by these type of nodes.  I was hoping the Event log items would point you in the right direction.  I don't debug certs myself often enough to venture into detail on that.

WRT to MAC address checking:
You can edit the IAS Remote Access Policies.   The "Windows-Group matches..."  could be removed, but I would suggest that you add another policy for the WinMo devices and edit that.

Click Add...  and Select "Calling-Station-Id"    RFC 3580 is your reference here, but you may have to trace to find out the exact format and attributes your AP is using.
This will handle one value.  Might be tedious if you have many.  
You can also put a regular expression in here, if that works for you.

The above would work for a small number of remote devices, for a larger scale installation,
I've googled doing MAC authentication on IAS, and some of the solutions suggested could interfer with other use of wireless and your AP.   So you'll have to consider the tradeoffs.  
 There are registry keys to get IAS to sub the Calling-Station-Id into the Username (http://technet.microsoft.com/en-us/library/bb742394.aspx)  and then you can create an AD security group where the "users" are the Mac values.

Good luck.
JohnValueAuthor Commented:
It turns out that the problem was that my wireless access point was litering by MAC address, so as soon as I added the MAC address of my Windows Mobile device, it connected.

I appreciate everyone's help in helping me narrow down what it wasn't, and so find what it was.
JohnValueAuthor Commented:
Oops, I should have said filtering by MAC address (not litering).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now