blogs.conchango.com

welcome to the conchango blogging site
Welcome to blogs.conchango.com Sign in | Join | Help
in Search
Blogs

Neil Chapman's Blog

All things Mobile...

Wireless 802.1x authentication on Windows Mobile 5 (Part 2)

I now have some more information about using 802.1x WiFi with WM5. Keep in mind I haven't looked at third party 802.1x clients at this stage, just the WM5 default client.

 

I posted in my last blog that I couldn't understand why a username/domain prompt appeared on the device when trying to authenticate to Radius using EAP-TLS. For example, when using an XP machine with EAP-TLS, I just have to provide the personal certificate, and don't have to input anything.

 

Ok, so why do I get the username / domain prompt with WM 5 EAP-TLS? The answer is this:

 

  • The WM5 device 802.1x client does not associate a certificate to a SSID connection until connecting for the first time.
  • This means that even though you select a certificate in the client EAP-TLS setup before connecting, the client still doesn't use this certificate for authentication.
  • The username/domain prompt is the mechanism for creating this association.
  • If you have multiple personal certificates on your device, this is when the right cert is used for the right SSID for 802.1x authentication.

 

The reg key that is set when this association is created is:

 

HKCU\Comm\EAPOL\Config\<SSID>\Identity (REG_SZ) - <Domain\Username>

 

My initial thoughts on all this are that I understand why the WM5 client does the check, but is this really needed if you have only one personal certificate? What else is it going to pick?

Once again, if you have successfully rolled out EAP-TLS at all using any 802.1x client on WM5, I'd like to hear from you. 

Cheers,

Neil

Published 11 August 2006 16:14 by neil.chapman

Comments

 

PBoone said:

Hello Niel,

I would also like to know if anyone gets this connection type going.

I am part of a three man IT team. one of the other members is mainly responsible for the network. I have the mobile device, and there are a few others in the company that also have one. So it's not a big issue (yet) if we dont get this going, but as it is for you... I wish you luck!

I read in part one, that using a machine cert will not work. so if our radius server i.e. wifi network topologie only incorporates machine certs, then I guess i am totally out of luck?

is there an advantage to machine certs as opposed to personal ones?
is there a disadvantage to personal certs as opposed to machine ones?

the answers to these questions may help me to convince my colegue to start using personal certs as well as or in place of machine ones.

thanks

Philip
August 22, 2006 22:47
 

sknobloc said:

Hi Neil,

I encounter the same problem as you described. So thanks for your hints so far.

Am I correct in assuming that you will not get prompted for username/password, if you try to connect the second and any further time?

Regards,

Stefan
August 29, 2006 09:16
 

dfex said:

Hi Neil,

I am running EAP-TLS and WPA/TKIP with Windows Mobile 2003 SE.  I am only generating device certificates for my pdas though, and authenticating my wireless using FreeRADIUS.  I too have the issue where the first time the connection is created,  credentials are required.  In the case of device certificates, I use the device name for the username and for domain, use "host".  My RADIUS server is configured to use these details for EAP and everything works fine.

Cheers,

Ben

September 4, 2006 06:51
 

RJW said:

Hey All,

I've spent a lot of time looking for information about some of the issues we've been having with EAP-TLS and your post provided the most help towards uncovering the mystery of why I have been unable to get EAP-TLS working with Windows Mobile 5.0. My campus has issued certificates signed by their own certification authority and they are using EAP-TLS with AES encryption. On Windows XP, my laptop has no problem connecting, but with Windows Mobile 5.0 I keep getting this prompt for a user and domain/host like you described.

I have also tried using the Odyssey Access Client but that has not worked either.

Ben, you mentioned that you set up your RADIUS server to accept the device name for the username and "host" for the domain. Could you (or anyone else) tell me where you can set this information in the RADIUS server and send along links to some of the relevent resources that helped set this connection up?

Thank you!

Rob

February 22, 2007 17:37
Anonymous comments are disabled

This Blog

Syndication

Tags

No tags have been created or used yet.

News

Locations of visitors to this page
© 2008 - Any comments or statements made herein do not necessarily reflect those of Conchango.
Powered by Community Server (Personal Edition), by Telligent Systems