PEAP MSCHAPv2 WiFi authentication setup

[edit] PEAP + MSCHAPv2 WiFi Authentication Setup

Some educational sites using Eduroam support this method. Some use EAP-TTLS+PAP where you need to activate TTLS/PAP support first using the cute Qt "WLAN tool" linked to this bug report. Additionally you need the PR 1.2 firmware on your phone. PEAP + MSCHAPv2 is quite popular authentication method which is supported by the tablets, but some setup is needed. Therefore, bad out of the box experience is guaranteed. If you're uncertain, try if the step-by-step guide below works. If it doesn't - bummer.

Don't forget to install wpa_supplicant package!

(This example is for Eduroam for N900. Same works for 770, N800 and N810 too)

Go Applications -> Settings -> Internet connections
[Connections]
[New]
[Next]
Connection name: eduroam
[Next]
Scan .. Wi-Fi ..
[Yes]
EAP type: PEAP
[Next]
EAP method: EAP MSCHAPv2
[Next]
User name: (username@domain)
password: (your password)
[Next]
[Advanced]
[EAP]
Use manual user name: [x]
Manual user name: (username@domain)
[Save]
[Finish]

[edit] Using WEP cipher suites

Some eduroam sites use WEP cipher suites in WPA mode. In this case, the N900 fails to connect instantly and the line

Jul  5 10:42:34 Nokia-N900 wlancond[2695]: In WPA mode WEP is not allowed

is logged to syslog. Whether this setup is active on a site can be investigated by running

$ iwlist scan
[...]
wlan0     Scan completed :
[...]
                    ESSID:"eduroam"
[...]
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : WEP-104
                    IE: WPA Version 1
                        Group Cipher : WEP-104
[...]

on a laptop.

Support was added to osso-wlan as of version 3.0.20 according to the changelog:

osso-wlan (3.0.20) unstable; urgency=low

  * Fixed:  NB#159194 - Add support for WEP cipher in WPA mode to support
    Eduroam, fixes the regression

 -- Jin Qing <ext-qing.1.jin@nokia.com>  Fri,  2 Jul 2010 10:34:40 +0300

osso-wlan (3.0.19) unstable; urgency=low

  * Fixed: NB#159194 - Add support for WEP cipher in WPA mode to support
    Eduroam

 -- Sami Enne <ext-sami.enne@nokia.com>  Wed, 2 Jun 2010 15:04:22 +0300

Unfortunately, access to NB#159194 is restricted. But a diff of the source located at https://gitorious.org/community-ssu/osso-wlan reveals that the boolean gconf value /system/osso/connectivity/IAP/allow_wep_ciphers_in_WPA has to be flipped to true for this change to kick in:

$ gconftool-2 --type bool -s '/system/osso/connectivity/IAP/allow_wep_ciphers_in_WPA' true

Why this is not switched on by default and where this is documented is currently unknown. A reboot (or maybe just restarting wlanconfd) resolves the issue. Furthermore, implications on security should be investigated.

[edit] Known working networks

  • eduroam at FU Berlin, Germany
  • eduroam at TU Berlin, Germany (note: for me it was necessary to use username@win.tu-berlin.de instead of username@tu-berlin.de)
  • eduroam at JLU Giessen, Germany
  • eduroam at TU Delft, the Netherlands
  • eduroam at HRO Rotterdam, the Netherlands
  • eduroam at HvA Amsterdam, the Netherlands
  • tue-wpa2 at Eindhoven University of Technology, the Netherlands
  • eduroam in Tampere, Finland
  • LANGATON-WPA in Tampere, Finland
  • AU-Wifi in Auburn, AL, USA
  • AlmaWIFI in Bologna, Italy
  • eduroam at KULeuven, Belgium
  • eduroam at TU Vienna, Austria
  • eduroam at University of Vienna, Austria
  • eduroam at University of Graz, Austria
  • eduroam at Klagenfurt University, Austria
  • WIRELESS-PITTNET at University of Pittsburgh (work without @domain).
  • eduroam at University of Gothenburg, Sweden
  • eduroam at Chalmers University of Technology, Gothenburg, Sweden
  • eduroam at KTH, Stockholm, Sweden
  • eduroam at University of Copenhagen, Department of Mathematical Sciences
  • eduroam at University of Bergen, Faculty of Mathematics and Natural Sciences
  • eduroam at University of Reading, UK
  • eduroam at RWTH Aachen University, Germany (works with @domain instead of +domain)
  • eduroam at Chemnitz University of Technology, Germany (if it does not work, change your password)
  • eduroam at University of Stuttgart, Germany
  • eduroam at University of Warsaw, Faculty of Mathematics, Informatics and Mechanics
  • eduroam at LTU, Luleå, Sweden
  • eduroam ("802.1x") at University of Leipzig, Germany
  • eduroam at QMUL (Queen Mary, University of London)
  • eduroam at Linköping University, Sweden (LiU)
  • eduroam at Lappeenranta University of Technology, Finland (LUT)
  • eduroam at Aveiro University, Portugal (PT)
  • eduroam at ETH Zürich, Switzerland
  • eduroam at Universidad de Castilla-La Mancha (UCLM), Spain (es)
  • eduroam at TU Braunschweig, Germany
  • eduroam at Karlsruhe Institute of Technology (former University), Germany (use anonymous@kit.edu as manual username)
  • sMobileNet at Hong Kong University of Science and Technology
  • eduroam at University of Waterloo, Canada
  • eduroam at University of Paderborn, Germany (instead of PEAP you have to use TLS)
  • eduroam at University of Cambridge, UK
  • eduroam at University of Heidelberg, Germany but NOT at DKFZ, Heidelberg, Germany
  • eduroam at Ca' Foscari University of Venice, Italy (see notes about WEP above.)