Thread: Wifi WPA-EAP problems on Nokia N900
View Single Post
sicelo is offline sicelo
2015-12-23 , 10:00
Community Council | Posts: 691 | Thanked: 1,240 times | Joined on Sep 2010 @ Mbabane
#3
EAP-PEAP/EAP-MSCHAPv2 : unable to connect to Windows-based NPS/Radius server without further intervention by administrator. This is not really useable because few, if any, administrators will be willing to adjust their network based on user request when "all" other devices work. Referenced Microsoft Technet article [1] has further details on this. The problem happens on all Nokia devices, including Symbian. Perhaps you can find a way to fix it in N900?

Explanation of the problem from Microsoft:
Code:
CAUSE:

NPS server sends an optional Cryptobinding TLV (non-mandatory AVP Type 12 ) in the final frame of the authentication sequence which the Nokia device is unable to handle and responds with an encrypted alert which results in the NPS server discarding the packet.

RESOLUTION:

No resolution from Microsoft side, as the issue is with the Nokia devices and we do not face the issue with Windows clients.
"Solution" from Nokia:
Code:
What to do if WLAN EAP authentication to Windows NPS server fails? - Nokia FAQ

If WLAN (WiFi) connection fails when trying to authenticate in EAP-PEAP MSCHAPv2 mode and the user credentials are authenticated by Microsoft NPS server (Network Policy Server), disable EAP capabilities negotiation in the Windows server side. This can be done by adding the registry entry below and restarting the NPS server:
1.From Start menu select Run 
2.Type regedit and press OK 
3.Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\25 
4.Right click 25 and select New > DWORD 
5.Name it BypassNegotiation and give it value 1 ( Base is Hexadecimal)
I think this is bogus solution. While I think MS deviated from the standards, but Nokia should have realized network control is usually too far from the user. For what it's worth, the Nokia-proposed solution actually does work as I've tested it on my own install. But in my organization they refused to make such a tweak and partly, it's understandable.

This bug was never reported correctly in the bug-tracker because the Nokia gives a bogus error, "Authentication Failed" and at the time, most testers focused on certificates, etc. It turns out that certificate is the least of the problem. This is usually the "real" bug.

This is probably a bit selfish of me, haha, but iI would even venture to say Bug 3399 is lower priority than this one

[1] https://social.technet.microsoft.com...m=winserverNAP
Last edited by sicelo; 2015-12-23 at 11:39. Reason: Getting it technically correct
 

The Following 6 Users Say Thank You to sicelo For This Useful Post: