Hey guys, I'll try to be brief on this. Apparently some 4.3 devices have an issue with WiFi where certificate-authenticated networks won't connect. I'm at my college network and I download my certificate, install it, try to connect and it asks me to set it up. Here's my setup (exactly how my college specifies you to set it up):
EAP Method: TLS
CA certificate: (Unspecified)
User certificate: My certificate
Identity: My Identity
It worked fine pre-4.3, but now it says "invalid password", even though TLS doesn't require, or even have an option for a password. If anybody has any idea as to how I could get this working (I'm thinking perhaps taking 4.1.2 WiFi libraries and manually moving them onto my phone. I just have no idea exactly what files it would take, or if WiFi would even work afterwards) it would be much appreciated.
I'd just move back to 4.1.2, but 4.3 works so beautifully on my phone besides this one hiccup that I don't think it'd be worth it.
Fixed is more like it.
Previously, the EAP-TLS configuration would let you connect to any AP, regardless of the certificate presented by the authenticator. This meant that an attacker could set up a rogue AP broadcasting your SSID, and your client would naively connect, presenting its credentials which could be harvested by the rogue AP.
Now, you have to select/identify the signing CA for the AP's certificate for a true, mutually-authenticated exchange between your phone and the AP. Your phone will only present credentials to an identified authenticator with a certificate from a pre-defined CA (GeoTrust, GoDaddy, Bob's Upstairs Certificate Authority, etc.). Define that in the "CA Certificate" portion of your connection and you should be good to go.
Why this misconfiguration presents itself as "invalid password" is beyond me. Beats "PC LOAD LETTER", I guess...
joeinternet said:
Fixed is more like it.
Previously, the EAP-TLS configuration would let you connect to any AP, regardless of the certificate presented by the authenticator. This meant that an attacker could set up a rogue AP broadcasting your SSID, and your client would naively connect, presenting its credentials which could be harvested by the rogue AP.
Now, you have to select/identify the signing CA for the AP's certificate for a true, mutually-authenticated exchange between your phone and the AP. Your phone will only present credentials to an identified authenticator with a certificate from a pre-defined CA (GeoTrust, GoDaddy, Bob's Upstairs Certificate Authority, etc.). Define that in the "CA Certificate" portion of your connection and you should be good to go.
Why this misconfiguration presents itself as "invalid password" is beyond me. Beats "PC LOAD LETTER", I guess...
Click to expand...
Click to collapse
I get both a User and CA certificate from my college, but when using both of them at the same time, the problem persists. Any way to fix it or is it a case of my campus' internet not using an identified authenticator for their certificates?
Boardwalk30 said:
I get both a User and CA certificate from my college, but when using both of them at the same time, the problem persists. Any way to fix it or is it a case of my campus' internet not using an identified authenticator for their certificates?
Click to expand...
Click to collapse
If 4.3 on your S3 is the full version, you cannot go back to 4.1.2 without bricking your phone.
Sent from my SCH-I535 using xda app-developers app
Related
Hey all,
Just an idea. Does anyone out there think that it might be a good idea to start a thread about Exchange and OTA activesync issues? I have fielded a few questions recently and just figured that I would ask. (perhaps not located here in WM6 group but since this is most active I figured I would ask here).
Yes, I think it is a good idea.
Why? What is the problem? I've have used at least 5 different WM6 Roms as well as WM5 cooked versions, all working fine with my TMobile MDA and Push/Activesync and front-end exchange server here.
Personally.... None...
Hey....
Personally, I have similar setup and no issues with multiple roms as well. I have just been answering a few questions lately from people who have been having issues and rather than have them get off topic in other forums non-related to exchange / active sync issues I figured I would start one.
RV
Ok, I am feeling ya'
Let the questions/issues begin! Will help if I can to answer questions or test.
Real World Problem
Perhaps you will allow me to jump in with a real world problem, then.
I was able to synch with Exchange 2003 SP2 no problem. I essentially have two different scenarios:
1. I have no T-Mobile service at my desk, so I hook up to my XP machine with a USB cable and run AS 4.5. That view puts me on a private network (192.162.xxx.xxx); the pertinent server configuration is ISA 2006 front end to the network and a WS 2003 running Exchange behind it. The XP machine gets its IP address from DHCP server on the ISA machine, using the ISA address as a gateway for the local network.
2. Away from my desk, I connect via GPRS. The connection is to the ISA server using the public DNS name of mail.<domain>.com. This means a VPN connection.
So after flashing a new ROM, I can no longer synch locally. I get a 85010001 error message, bad HTTP protocol. Not much helpful information out there; I made certain that integrated authentication was not checked on the directory security tab for the IIS folder, and I went through the deletion and recreate of the IIS folders per MS article. Still won't synch up with the same error.
Additional information. RPC over HTTP is set up on the Exchange server via ISA server, and publicly purchased certificate covers the IIS DEFAULT directory. I can do OWA from inside and outside the network, synch via GPRS when I have service but can't when I use a USB connection. I had copied my WM5 settings down before I flashed, and they are set correctly. HOWEVER, when I unlocked the phone before going to WM6, I reloaded 2.26 from T-MOBILE AND THIS PROBLEM SHOWED UP BEFORE WM6! There were no reboots or changes on any of the servers or the XP machine from when it was working to when it wasn't.
Thanks, sorry if this was posted int the wrong place.
Hey rvverito, I'm an Exchange admin myself and would love to help others who had problems setting up the Exchange/OTA Sync. If you're interested in any help or just get stuck on a sticky problem, drop me a PM or email. (Both will be pushed to my device )
Unfortunately, I'm unfamiliar with ISA, I mainly service SBS servers and a WS 2003 box of my own, but with a hardware firewall. From your post it's not clear exactly what the error message is. WHen it comes to Microsoft 0x850001 is different than 850001, so if you could expand on that, it would be great.
Activesync reports the error
the 85010001 error is a windows dialogue box that comes from Activesync and not to be confused with something in one of the event files. In fact, there are no event postings on either the Exchange nor the XP boxes, and for that matter not on the ISA box, either. The error descriptions indicate a bad HTTP protocol, but I have seen other references to this error where the user wasn't even running Exchange and was trying to synch with some POP3 service. Go figure.
I know that with a certificate, there are some extra considerations, but i seemed to have had it working just fine, now not at all.
I am convinced it has something to do with Exchange and inside the local network. The WM5/6 setting capactiy is simply not rich enough to let me play with some things.
Here is another wierd thing. I am running a Netgear wireless router with WPA-PSK security. I try setting this up as a wi-fi network on my MDA and it comes back unavailable. There is a scanner on the build, and when I turn on SID broadcasting, I can see the network. However, the broadcaster says it is running WEP. If I turn off the SID, the broadcaster says it is open. And of couse, a dozen or so devices including a Nintendo Wii are all affectionately connected to the router.
thanks - L
Hmm, from the sounds of it, you may have to load the certificate onto your device. It is possible that you had it before you started the whole reflashing your phone deal, so it's worth a shot.
Of like mind
that is the conclusion I came to as well. I have been sorting out how to get the cert onto the device.
what troubles me though, is why it works over GPRS.
It could be because you have the certificate for AS/OWA, but not one for connecting to the LAN. I'm not sure what your network topology is like, so I can't really help you in that regard/
one more thing, if you have stupid tmobile proxy enable it will not let you sync with Exchange when its docked with PC, nor your pda will have access to internet. BLAME the t-zone service for blocking inbound traffic over proxy or get your self fully fledge internet for 29.99 or what you can do is disable the proxy when you connect to pc or installed battery status extended and enable option where it disables proxy when wifi is turned on. This will let you sync over wifi however again when docked with PC it can't be synced until you manually turned of proxy. Hope this helps.
wish that were it
but proxy is turned off. thanks.
Just got my Samsung Captivate about a month and I got my wifi connected to the school network, but when i open the broswer or any apps need internet i didnt get any connections? at the first week it works.. and when connecting to the school wifi it should be come out with the school login page,, then the internet will work.. however the wifi is connected doesnt matter how strong the wifi singal is.. it just cant load and cant bring me to the login page..
I really need help..
and the wifi works everywhere.. except my school...
btw my friends iphone 3gs works..
I am also at college and have had the same problem. the best reason I have found is the phone itself. half of our wifi is an older standard that does not work on the phone. it shows up as wep and i can not get it to recognize it as 802.1x . in my tinkering I have also messed up the wifi that was working.
long story short it probably won't work. I have spent a long time trying to get it to work with no luck
Sent from my SAMSUNG-SGH-I897 using XDA App
Hello to both of you,
I also attend a college with an 802.1x connection and the captivate supports most of these networks; however you will probably need to configure the network settings manually (usually retrievable on your schools IT site). If you dont mind digging up your settings I would love to check to see if I can configure your phone.
FYI, you might be having a problem similar to what's seen in this post.
http://androidforums.com/captivate-support-troubleshooting/142397-odd-netmask-issues-wifi.html
I definitely had this problem today. It appeared connected but no web pages would load. Going to have to investigate further. Why can't things just work
I know my school recently implemented some new security certificates that you must agree to before logging in, has anything like that changed for you? My wife's Aria is running 2.2 and can log into the school network, but my captivate cannot. It is frustrating I know.
Seems some colleges and universities are noticing issues with android devices letting the DHCP leases to expire but keeps using the IP address assigned instead of requesting a new one.
See the following links.
h t t p ://www . natecarlson . com/2010/08/27/android-att-captivates-wifi-networking-is-broken/
h t t p ://www . net . princeton . edu/android/android-stops-renewing-lease-keeps-using-IP-address-11236.html
I actually have similar issues with my Belkin wireless router at home. My laptops and other wireless devices have no problems connecting or re-connecting but the Captivate just refuses to re-connect after the connection was terminated. Even after resetting the router, the phone just keeps trying to use the same IP address for some reason.
The only way I could get it to reconnect is to either reboot the phone or to remove the AP entry which is a pain especially if you have wireless passwords.
Hopefully someone with better insight into how Eclair and Froyo handles WiFi can come up with some fix.
more solutions?
I believe the new 2.2 firmware solves this issue. I too am at College and my captivate FAILS to actually access the internet through wifi unless I statically assigned the IP.
I just updated to Froyo and it connected instantly. I'll have to do more testing to make sure, but I think Samsung finally fixed it.
captivate wifi issue at school
i just got Galaxy S (Captivate) and wi-fi is giving trouble.
when i tried at a university campus, it gives error and says can't open and try again later. it is like, i get connected to the network, IP and DNS and everything is generated. But when i open browser to open a website, instead of taking me to login page it gives the above error.
here is what i get when i try to open a website.
'web page not available'. the page might be temporarily down or it may have been moved permanently to new address.
here are some suggestions:
- check to make sure device has signal and data connection. (I made sure it is connected to wifi)
- reload page later. (i tried after 5 mins, same result)
- view cached copy from google. (doesn't work either)
i am not able to understand why is this happening. i tried restarting the phone after connecting to wifi but no luck. any pointers?
Sounds like they use a portal system which requires logon and doesn't play nice with the Captivate's browser. Unfortunately many such portal systems are written poorly and I've even seen some that only work with Internet Explorer.
You could try a different browser on the Captivate. Dolphin allows spoofing assorted User Agents, which might help.
Hey guys, I have the same problem connecting to m school's network login page. It would say connected but the website always says cant be found. But the good news is that I found a way to connect to it manually! What you need is your captivate and friends iphone 4 or 3gs. First have use your friends iphone to connect to the wifi and then go into wifi settings. You should see 2 DNS address, Ip address, netmask (subnet mask) and router address. Now jot those addresses down except the ip address. Go to settings->wireless and network->Wi-Fi settings->now tap the bottom left button under the samsung logo and click advanced. Now check use static ip. Do not enter anything for your ip address just yet (we will do this last). Now enter router address into gateway, subnet mask into netmask, DNS1 to DNS1 and DNS2 to DNS2. ok when you are done click back and tap the network you want to connect to. Once you are connected jot down your ip address by taping the network once more. now go back to where the static ip was and input the ip address you just jot down into the ip address underneath use static ip. Disconnect and reconnect to the desired network. You may have to do this a few times or reboot your phone. This has been working for me so far around different buildings but with the same school network connection. I hope this helps cheers!
sremick said:
Sounds like they use a portal system which requires logon and doesn't play nice with the Captivate's browser. Unfortunately many such portal systems are written poorly and I've even seen some that only work with Internet Explorer.
You could try a different browser on the Captivate. Dolphin allows spoofing assorted User Agents, which might help.
Click to expand...
Click to collapse
Yeah, my school uses the Bradford dissovable agent. Funny thing is, some connections work perfectly, others not at all. Technically none should work, and sometimes I feel that maybe I should tell them that sometimes somehow it is possible to bypass the whole agent thing- but why rock the boat just yet
Does it need a proxy to work? If so, this app is amazing.
http://forum.xda-developers.com/showthread.php?t=766569
I figured it out a month ago, and it is actually petty easy. But you really have to change ip address manually, usually just the last number.
Sent from my SAMSUNG-SGH-I897 using XDA App
Worth reading http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/
and perhaps following http://forum.xda-developers.com/showthread.php?t=1086878 (ok -- maybe not -- that thread is pretty useless)
In brief:
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
Announced today, apparently there will be silent OTA patches for Contacts and Calendar.
that is crazy!!!!
this made me feel a little at ease, just a little.
The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots.
Click to expand...
Click to collapse
not sure what else to say about it.
Bloggers and media like to hype this stuff up.
Bottom line is this. Don't connect to a public wifi you don't trust, and always log in via SSL.
The issue here stems from using public wifi that allows people to sniff your traffic.
For instance:
You walk into starbucks, I'm already there and with my phone I create a mobile hotspot, I call it "StarbucksWifi" for the SSID. You're none the wiser and you connect with your phone (OR with your laptop, it's not just your phone but the media didn't share that).
I turn on Shark Mobile (Wireshark) and start capturing all those lovely packets. I then dissect them later to see your login info etc.
Again, don't connect to public wifi you don't trust or are unsure about. Starbucks uses ATT for hotspots and the wifi name is always ATT from what I remember.
fknfocused said:
that is crazy!!!!
this made me feel a little at ease, just a little.
not sure what else to say about it.
Click to expand...
Click to collapse
Not a real issue unless you're one to use unsecured wifi networks.
joedeveloper said:
Bloggers and media like to hype this stuff up.
Bottom line is this. Don't connect to a public wifi you don't trust, and always log in via SSL.
The issue here stems from using public wifi that allows people to sniff your traffic.
For instance:
You walk into starbucks, I'm already there and with my phone I create a mobile hotspot, I call it "StarbucksWifi" for the SSID. You're none the wiser and you connect with your phone (OR with your laptop, it's not just your phone but the media didn't share that).
I turn on Shark Mobile (Wireshark) and start capturing all those lovely packets. I then dissect them later to see your login info etc.
Again, don't connect to public wifi you don't trust or are unsure about. Starbucks uses ATT for hotspots and the wifi name is always ATT from what I remember.
Click to expand...
Click to collapse
Thanks.
I love hearing about this kind of stuff. It's good to keep current....now I know why they have that accept conditions page at wifi places like starbucks and mcdonalds. You couldn't create that with your hot spot...or could someone
Sent from my SGH-T959V using XDA Premium App
thanks for the info fellas. I rarely connect to wifi spots when Im out and about. Actually, the only time I do is when im home or at work. Looks like im good.
While "always log in via SSL" is a great suggestion, the Google services aren't going to go over a secure channel (unless you have VPN enabled).
The same warning should apply if you aren't using WPA2 -- the older WEP (and WPA) is still common on many "secure" wireless connections, especially home units, and takes not more than a few minutes to crack with widely available tools.
http://www.google.com/search?q=wep+crack
From http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
WPA2 has replaced WPA; WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
This is what I was asking about in another post. I like to vacation where I have 0-1 bars on the phone, and motel wifi is available. I would like my pet/house sitting service to be able to call me when I'm away.
Also kid moved to England. We use Skype, Skype on Android is wifi only.
Mostly do use home WPA encrypted, but there should be some kind of safety for those who do need the service. Do not use the phone for personal stuff like banking, etc. even on a network.
And there are areas here in the west where there is no service for any carrier. Canyons are not conducive to line of site.
SGS4G does have wifi calling built in.
anyone of you here using a proxy server in a university? when i move to a different building in the same university, i cannot browse anymore because it says "authentication via proxy server was unsuccessful".
our proxy server does not require auntentication.
android 3.2 from our tablet has already a built-in proxy settings, why is this happening to me when when i move to a different building with the same proxy server?
any help from this will be greatly appreciated.
thank you in advance.
I don't have any issues in my University using the WiFi =/
i dont know why it is happening to me? the tech from the university said maybe its due to number of devices accessing the wifi proxy at the same, thats why i cannot connect. but i had my rooted lg optimus black before and its running smoothly in the university's proxy server!
i think there is something wrong with android 3.2's wifi proxy?
There are wifi-related issues with some of the Galaxy Tab 7 Pluses, (namely the SOD,) but this one is new to me. I've never experienced it. Truth be told, the tech could be correct. The proxy server might have been refusing connections due to heavy load. Even if you think your phone and tablet are connecting at the same time, the phone could have made its request earlier and been the last allowed device, or if you connected after, could have taken up a spot that was just vacated by another device.
My question is then, is this an ongoing issue? By this I mean are you having this issue multiple times in the day, where your phone can connect just fine, but your tablet is throwing that error message?
thank you for your reply, rkmj!
yes, this is an ongoing issue up to now! i have been experiencing this for over a month already. when im the main library i can easily connect at the first time. but when i move to the other buildings within the same proxy server, with definitely different access points it always says:" authentication via proxy server is unsuccessful". i am using my rooted lg optimus black with this same positions in the university before, and it works flawlessly, so i doubt if it is with the heavy load?
so is there something wrong with the proxy setup of honeycomb 3.2?
Hi, I just got my Nexus 5 yesterday and everyone is fine until I install a certificate that is required to connect to my University's wireless network.
The installation is fine, but after that I got a warning saying network may be monitored. I know I can get rid of it temporarily by swipe it away, but is there any way to disable this warning permanently? (see the attachment if my wording is confusing)
I am seeing this same thing in relation to the use of my own personal certificates. The issue stems from the use of private CA cert which I use for my local lan and vpn. Google has decided to enable CA certificate pinning as a security measure I guess hopefully there is a way to disable this.