Connect WM 6.1 (Samsung Omnia) WiFi to MS Domain using WPA2/AES/PEAP

Posted on 2009-04-24
Last Modified: 2013-12-09
Have a WM 6.1 smartphone with WiFi, corporate network (Cisco Aironet 1200) configured and functioning using WPA2/AES/PEAP.  When attempting to connect to this SSID and entering domain username and password, am unable to connect.  

Have already (on Vista machine on the network):
1) Exported (and successfully installed) the root authority cert for the domain
2) used certmgr to generate a new personal certificate for both EFS, Client Authentication and MS Trust List Signing, EFS, Secure Email, Client Authentication and successfully installed these on the smartphone.
3) Modified the HKLM/COM.EAP/Extension/25 key to include a new DWORD value of "ValidateServerCert' with a DWORD value of 0 (00000000) on the smartphone.

Still unable to connect.  Get the username and domain pop up, enter correct values, but unable to authenticate.

Question by:JohnValue
    LVL 66

    Expert Comment

    Silly question, but are you using the 'domain\userid' format?

    Author Comment

    Good question:  I have tried all combinations (that I can think of)  username@domainname, domani\username, username alone, and all combinations of those in the userid field with domainname, and full domainname (including the @) in the domain field as well as leaving domain blank.  None allow a connect.

    Author Comment

    Any ideas at all would be appreciated, I have started from scratch on the phone but get the same results.  Maybe something in Active Directory?  Any ideas on a different certificate?  Any help is appreciated, and the points are now at 500.
    LVL 2

    Assisted Solution

    I would look at the event log on the RADIUS server (IAS?) and see what the errors are.
    It might give you a hint.

    Author Comment

    Yes, mrnetbios, I think it is the RADIUS policy causing the problem. Great work.

    Now, how do I create or modify my RADIUS policy to allow the Windows Mobile device?

    My current RADIUS policy is:
    NAS-Port-Type matches "Wireless - IEEE 802.11" AND
    Windows-Groups matches "MyDomain\Domain Users;MyDomain\Domain Computers"

    Windows Mobile devices can't join a Windows 2003 domain, correct? So, this policy condition requiring "Domain Computers" membership must be the problem.

    What is unique about the device is its MAC address. Is there a policy condition for MAC address?

    LVL 2

    Assisted Solution

      because Windows Mobile computers aren't domain workstations as far as AD is concerned.  
    But that should only come into play only if the WinMo stations were trying to do "machine" authentication.
    (in that case they use their workstation names as usernames, how they authenticate to the domain)
    Otherwise this is a simple remote authentication and the Username value presented is what's checked.
    If the "domain\" is not present it's assumed to be the server's domain.

    There might be something about the cert that is still not being satisfied by these type of nodes.  I was hoping the Event log items would point you in the right direction.  I don't debug certs myself often enough to venture into detail on that.

    WRT to MAC address checking:
    You can edit the IAS Remote Access Policies.   The "Windows-Group matches..."  could be removed, but I would suggest that you add another policy for the WinMo devices and edit that.

    Click Add...  and Select "Calling-Station-Id"    RFC 3580 is your reference here, but you may have to trace to find out the exact format and attributes your AP is using.
    This will handle one value.  Might be tedious if you have many.  
    You can also put a regular expression in here, if that works for you.

    The above would work for a small number of remote devices, for a larger scale installation,
    I've googled doing MAC authentication on IAS, and some of the solutions suggested could interfer with other use of wireless and your AP.   So you'll have to consider the tradeoffs.  
     There are registry keys to get IAS to sub the Calling-Station-Id into the Username (  and then you can create an AD security group where the "users" are the Mac values.

    Good luck.

    Accepted Solution

    It turns out that the problem was that my wireless access point was litering by MAC address, so as soon as I added the MAC address of my Windows Mobile device, it connected.

    I appreciate everyone's help in helping me narrow down what it wasn't, and so find what it was.

    Author Comment

    Oops, I should have said filtering by MAC address (not litering).

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Coaxial cable bending There are several factors that govern the selection of coaxial cable for your Machine to Machine (M2M) application: the location of cable runs, either indoor or outdoor, inside or outside an enclosure, maximum bending and the…
    This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
    This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now