hellp on Nokia E61i associating with Cisco WLC 4402

Unanswered Question
Apr 30th, 2008
User Badges:
  • Silver, 250 points or more

I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:


I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);


I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).


In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.


If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.


I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.


Pls. help to point me what I need to adjust to make it work. Thanks!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pasimahone Mon, 05/05/2008 - 22:18
User Badges:
  • Bronze, 100 points or more

Hello,


CCKM Key Management mode on Nokia E61i phone can be used

against Cisco LWAPP AP's with TKIP encryption


Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.


On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.


Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.


 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:

- WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption

- WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption

- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers

- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)


Supported:

- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption

- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption

Not supported:

- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption


Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast

Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.


 Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also

at least on LWAPP AP version 4.1.171.0.


 CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).


In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 

Layer 2 Security = WPA+WPA2


WPA+WPA2 Parameters:

-WPA Policy = enabled

-WPA Encryption = TKIP enabled, AES disabled

-WPA2 policy = disabled

-Auth.Key Mgmt = CCKM


Br,

-Pasi-


bbxie Mon, 05/05/2008 - 22:59
User Badges:
  • Silver, 250 points or more

Hi Pasi,

Thanks!

The problem is with the certificate, after I get a correct certificate, then it can pass the authentication.

However I can't find a place to select TKIP as the cipher, it is said from Nokia's forum that TKIP (WPA) has been abandoned in favor of AES-only (WPA2) on E-series devices running S60 3rd edition:

http://www.forum.nokia.com/main/resources/technologies/connectivity/capabilities.html



pasimahone Tue, 05/06/2008 - 01:38
User Badges:
  • Bronze, 100 points or more

Hello,


TKIP is fully supported, wrong information in Forum page.

Please, use 802.1x in device side and other details from my previous reply.


-Pasi-

bbxie Tue, 05/06/2008 - 15:31
User Badges:
  • Silver, 250 points or more

I just tested it, when select 802.1x instead of WPA/WPA2,enable EAP-->PEAP MSCHAPv2, although in the cipher, I can't see any configurable parameter for TKIP, but in Cisco's WLAN controller, I only enable WPA-TKIP, disable WAP-AES and WPA2, the E61i can pass the authentication and join the WLAN.

So it seems E61i support TKIP by default in 802.1x mode(although can't find any place to configure this parameter).

But it seems it's not stable, sometimes the E61i can pass the authentication, sometimes said WPA auth failed, sometimes said can't find the WLAN although in the same time, the laptop can find and join the WLAN and work normally. Somebody told me it's better to disable AUTO-RF in Cisco's WLAN controller, just use static channel, Nokia's E61i can't performance well with Cisco's WLC when Auto-RF is enabled. I have not done much testing, so not sure of it

pirateoftheairwaves Tue, 05/06/2008 - 22:48
User Badges:

hello, mr. pasi!


i have some issues as well with nokia running symbian software S60. the phone is NOT getting the internet. it is able to associate, authenticate and get an ip address. i can ping the phone's acquired ip from the wlc and from any pc. i can see the phone's details (mac address, ip address, ap associated with, etc. ) on the controller. we've tried both with and without wlan security and the phone is able to get the ip address.


unfortunately, the phone is unable to access the internet via an authenticating proxy. on the wlan profile, we've toggled 'yes' and 'no' for the password prompt option.


is this a Cisco issue? Is there a WLC missed configuration?

pasimahone Wed, 05/07/2008 - 23:04
User Badges:
  • Bronze, 100 points or more

Hello mr. Pirate, :)


So do you mean browsing the internet?

My understanding is that Nokia browser doesn't support proxy authentication.


-Pasi-

pirateoftheairwaves Sat, 05/10/2008 - 04:20
User Badges:

hi -pasi-,


yes, the mobile phone isn't getting the internet, with or without authentication configured on the SSID. the phone is able to acquire an IP Address and is pingable from the controller and any other computer. the company is actually using a proxy with authentication.


do you have any document (or a web link) that will support this understanding? if so, may i please get a copy.


Thanks for you reply!


pasimahone Sun, 05/11/2008 - 22:56
User Badges:
  • Bronze, 100 points or more

Hi,


Unfortunately I'm unable to find any documentation regarding this issue.


If you google eg with "Nokia proxy authentication" you can find discussions about the issue.


You could also post a question to Nokia discussion board http://discussions.europe.nokia.com/


-Pasi-


Actions

This Discussion

 

 

Trending Topics - Security & Network