Monday, October 28, 2013

Configuring Nokia E72 or Symbian phones for WPA2 Enterprise EAP-PEAP-MSHAPv2 settings

We have explained few general points regarding the usage of WiFi WLAN corporate networks and the compatibility of various mobile devices by Nokia, Blackberry, Android, Apple in this article WiFi WLAN corporate network usage on Nokia, Blackberry, Android, Apple iOS devices.

In this article, let us learn how WPA2 – Enterprise EAP-PEAP-MSHAPv2 settings for Symbian 60 phones, particularly for one of the best devices from Nokia in E-series the Nokia E72, can be configured:

Here we explain the settings for one of the latest E-series phones of Nokia, the E72, while we assume that the settings are more or less similar for the other phones in this category. For all the settings explained in the table, and the description provided below, the table acts as a guide to find in various levels the information inside each option and sub-option, in particular for Nokia E72.

For the settings, go to ‘Control panel >> Settings >> Destinations >> Internet’

Check if your phone already has an internet access point (IAP i.e. connection settings profile) for a "ABC-4U" WLAN network. If IAP for this network already exists then select it to edit it further.
If your phone has multiple (duplicate) IAP entries for this network ( named "ABC-4U(1) etc.) try deleting all duplicates and have only one access point related a particular WLAN network within the "Internet" destinations.


If "ABC-4U" IAP doesn't already exist you need to create new IAP for it. For that in the "Internet" destination view and select “Options >> New access point >> Yes”. Your phone will scan all available WLAN networks and then you can select "ABC-4U" from the list of available WLAN networks. If you are in the reach of WLAN WiFi signal, the new internet access point  for the network will be created automatically but default EAP settings inside the access point might not be set by ‘default’ for PEAP authentication, so you may check and if needed can edit those settings manually.

So, select the "ABC-4U" access point within the "Internet" destination to ‘Edit’ the same.

Connection Name*
ABC-4U (Sample name used)
Data bearer
Wireless LAN
WLAN Network Name*
ABC-4U
Network status
Public
WLAN network mode
Infrastructure
WLAN security mode
WPA/WPA2 (to be selected)
WEP (to be selected if WPA/WPA2 not applicable. This requires a preset shared network key. Activate this if your organization provides this information.)
802.1x (to be used if your enterprise insists on using this option).
WLAN security settings
WPA/WPA2
EAP
EAP plug-in settings
EAP-PEAP (activated or ‘enabled’)
All others like EAP-AKA, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-FAST are ‘disabled’
EAP-PEAP settings:
(found in one tab)
Personal certificate: Not defined
Authority certificate: ABC-Group-CA
User name in use: User defined
User name: u010101234 (your username)
Realm in use: User defined
Realm: DOMABC
TLS privacy: Off
Allow PEAPv0: Yes
Allow PEAPv1: No
Allow PEAPv2: No
EAPs: (found in the other tab)
EAP-MSCHAPv2 (Enabled)
All others like EAP-AKA, EAP-SIM, EAP-TLS, EAP-GTC (Disabled)
Username: DOMABC\u010101234
Prompt Password: No
Password: ******* (your login password)
Cipher
Enable all like RSA, 3DES, SHA, etc.
WPA2 only mode
Off
Home page
None
Use access point
Automatically


As shown in the table above, ensure that the following settings are made:

WLAN network name: ABC-4U
WLAN network mode: Infrastructure
WLAN security mode: WPA/WPA2

The next step is to ensure that by selecting "WLAN Security settings", the "WPA/WPA2" option is set to "EAP" (instead of Pre-shared key). Now go to "EAP plug-in settings" menu. First enable "EAP-PEAP" and then disable EAP-SIM and EAP-AKA methods. (Enable / disable can be done via "Options" menu while highlighting the particular EAP method).

Highlight the EAP-PEAP again and select it (or Options >> Edit) to enter EAP-PEAP specific settings.

On EAP-PEAP settings, define:

Personal certificate:  Not defined
Authority certificate:  "ABC-Group-CA

Please note carefully that the correct "authority certificate" from list of pre-installed CA certificates is selected as PEAP authentication can’t succeed if incorrect Authority Certificate (for this particular network deployment) has been selected or it has been left as "Not defined".

Please fill in also the other settings as shown in the table and as applicable in your case.

Then go to the next tab on the PEAP settings (named "EAPs") by hitting right on the directional pad (or touching the arrows in case of touch phone). It is quite easy to miss that PEAP settings view has multiple tabs since the small left/right arrow on top of the screen is the only indication that there are more tabs with additional settings.

On "EAP's" tab you will need select the actual inner authentication method for EAP-PEAP tunnel.  Enable "EAP-MSCHAPv2" and remember to disable EAP-SIM and EAP-AKA.  

Then edit the EAP-MSHAPv2 settings as indicated in the above table. Take care that username and password are entered correctly, including capitalization of letters.

Third "tab" on the PEAP settings is "Ciphers" but you don't typically have to modify those, i.e. the ciphers that are enabled by default are typically sufficient.

Finally go "Back" multiple times in order to save the settings you made above.

Rest of the instructions below are more generic (not specific to this PEAP configuration issue), referring to prioritization of the connection methods (access points) and how/which access point will become active when application is looking for connection to internet.

First, ensure that the "ABC-4U" access point you just created is correctly prioritized within the "Internet" Destination, it should have higher priority than the cellular packet data connection (3G/GPRS).

You can change access point priorities within a destination by highlighting the access point and selecting   Options >> Organize >> Change priority >>  move "selection" up or down on the list of IAPs and select "OK" to move previously selected IAP to this priority.

Another thing to check is the "Default connection" setting - Control Panel >> Settings >> Connection >> Destinations >> Options >> Default connection.

Set default connection to Internet (i.e. the destination where your WLAN and packet data access points are defined in priority order) or set it to "Always Ask" if you prefer to be prompted before connection is established.
Post a Comment