MS-PEAP with handheld devices

Unanswered Question
Oct 15th, 2003
User Badges:

Has anyone else configured handheld devices to use your wireless network using PEAP, but no certificates? Instead authenticating with username/password/domain.

All of Microsoft's documents say they support PEAP but none say how to configure it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.butterworth Fri, 10/17/2003 - 12:34
User Badges:
  • Gold, 750 points or more

I got this working yesterday and it was pretty straight forward, although I did have most of the groundwork in place beforehand.

You need a RADIUS Server - I used the one supplied with Windows 2000 Server (IAS). You also need a certificate Authority to publish certificates; the RADIUS Server needs one as well as each of the handhelds. Again I used the CA supplied with W2K.


There is a good tutorial here:

http://www.missl.cs.umd.edu/Projects/wireless/8021x/


To get the certificate on the PocketPC you need to get hold of the Certificate Enrollment tool from MS. You can either complile it from the SDK or download it from HP's website (software and drivers for iPAQ 5400/5500 for Windows Mobile 2003). The documentation supplied with the tool is a bit ambiguous and you need to make sure either a 'User' or 'Computer' certificate is requested, NOT what it says in the notes.


It all worked pretty much straight away - I had to play around with a few things but nothing too complex. I am using a Cisco 340 AP running VxWorks 12.0(3)T and an iPAQ 5450 running Windows Mobile 2003.


Andy

cgelnett Thu, 06/17/2004 - 05:09
User Badges:

I just got PEAP running using the ACS and 1200. I was able to test it with a laptop but have not been able to have the iPAQ get the certificate. I keep receiving an error that the template is not correct.

I talk with someone else who was able to make it work but without using the domain, but my site uses the domain to authenticate. I think the iPAQ can not receive the certificate since it is not register yet.


any ideas?


Thanks


gamccall Fri, 06/18/2004 - 05:59
User Badges:
  • Silver, 250 points or more

PEAP does not require client-side certificates, just server certificates. As long as your PDA has the appropriate root certificate installed (just sync it over and click on it, no special tools necessary) you should be able to connect as long as your PEAP is running correctly in the first place.


I had some trouble getting my iPaq connected, but it turned out that the root certificate load that came preinstalled had an obsolete version of the Verisign certificate I needed. Updated that and I was online.


-Gabriel

cgelnett Fri, 06/18/2004 - 06:54
User Badges:

Correct I should of said I can not get the iPAQ to install the root certificate. I receive the error that the template is incorrect.


Thanks


gamccall Fri, 06/18/2004 - 09:10
User Badges:
  • Silver, 250 points or more

Perhaps the root cert file is not in a format your PDA recognizes. Try importing that cert into Internet Explorer on your desktop/laptop, then export the certificate from IE in X.509-DER, and see if the reformatted cert works better for you.


-Gabriel

Actions

This Discussion

 

 

Trending Topics - Security & Network