I finally got some time to work with the RADIUS administrator and troubleshoot this. In the end, I was able to get authenticated, but there are some definite bugs in the wireless connection manager, because I shouldn't have had this much trouble. Our network (to briefly re-summarize): Cisco LWAPs (Light-Weight Access Points) (1131 and 1242) Cisco Wireless Controllers (WISM blades for Cisco 6500 chassis) MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1 (TKIP) and WPA2(CCMP) with named user authentication. The setup that worked: --- WLAN :) --- Network Name (SSID): blah Network is hidden: checked (and true) Network Mode: Infrastructure Security Method: WPA with EAP --- EAP type: PEAP --- Select Certificate: None (we don't use client certs) EAP method: EAP MSCHAPv2 --- User name: WHATEVER (doesn't matter as it doesn't seem to actually use this field) Password: password Prompt for password: UNCHECKED --- Advanced:EAP - Use Manual user name: checked Manual user name: username Require Client Authentication: unchecked --- Ok, so this looks pretty normal, except for a few things: 1) if you don't enter the manual username in the advanced properties, it sends totally garbled credentials which (obviously) fail authentication and the log shows the EAP type as undetermined: --- User qQVHj2kwcIhtnSA6QhmpIm was denied access. Fully-Qualified-User-Name = OBFUSCATED\qQVHj2kwcIhtnSA6QhmpIm NAS-IP-Address = OBFUSCATED NAS-Identifier = OBFUSCATED Called-Station-Identifier = OBFUSCATED Calling-Station-Identifier = OBFUSCATED Client-Friendly-Name = OBFUSCATED Client-IP-Address = OBFUSCATED NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 29 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = <undetermined> Authentication-Type = EAP EAP-Type = <undetermined> Reason-Code = 8 Reason = The specified user account does not exist. --- 2) if you select prompt for password AND you have manual user name checked AND you have an entry for the manual username, you will get a password prompt, which will fail and nothing will even make it to the RADIUS logs... Basically: as far as I can tell, the username field is not used in the main configuration tab, only the 'manual user name' is used in the advanced settings. Secondarily, the 'prompt for password' option does does not seem to authenticate properly, as it didn't even show in the RADIUS logs. So I guess the result is mixed - _I_ have my issue fixed (and hopefully these steps help somebody else), but this doesn't seem to be proper behavior on the part of the wireless configuration manager. On Fri, 30 Nov 2007 08:20:10 -0700, Tim <tim at samoff.com> wrote: > Joshua, > > Please add your comments/experiences here: > > https://bugs.maemo.org/show_bug.cgi?id=1017 I will add the text of this email to the bug, need to set up an account. Rgds, Josh
