I have the same problem. No way to authenticate to a mschap2 wifi network.

I have found some info on this issue.  Even if no certificate is passed down
from networkings stand point, there generally has to be a cert of some sort,
even expired.  I was able to get a copy of the expired cert off of a Mac
laptop.  I get an error every time saying the cert is expired, but still
connect after clicking OK. 

Unfortunately, I have not been able to locate the cert on either a Linux
wireless connection nor a Windows laptop.  The only way I have found it so far
is on a Mac through its certificate manager.

I get a failed authentication when trying to connect to corporate wireless. We
also require to disable certificate validation, so assuming it is the same
issue.
Using N810 and Maemo 4.2008.30-2

*** This bug has been confirmed by popular vote. ***

Comment 5 Andre Klapper 2008-11-14 19:15:30 UTC

Argh, I'm getting more and more lost in all those MSCHAP, PEAP, EAP, TTLS etc.
nuances.
What is the difference to bug 1017?

(In reply to comment #5)
> Argh, I'm getting more and more lost in all those MSCHAP, PEAP, EAP, TTLS etc.
> nuances.
> What is the difference to bug 1017?
> 

For networks not requiring a server cert verification, an option to not verify
server cert is required.  In our office, we do not validate the certificate. 
My only way around this is to get a copy of the cert from a MAC laptop that
stores the cert regardless.

Comment 7 Andre Klapper 2009-01-07 20:17:59 UTC

As this is not my field I wonder how this is related to bug 327 (about
certificate selection).

*** Bug 3990 has been marked as a duplicate of this bug. ***

Has there been any progress made on this bug?
-Ray

Comment 10 Andre Klapper 2009-03-26 16:43:35 UTC

Kalle, are any changes considered for Fremantle (or Harmattan) or is this
realistically speaking a WONTFIX?

Sounds a bit related to bug 1574.

Comment 11 Kalle Valo 2009-03-30 12:45:27 UTC

(In reply to comment #10)
> Kalle, are any changes considered for Fremantle (or Harmattan) or is this
> realistically speaking a WONTFIX?

I haven't heard anything about this.

But isn't this a huge security risk? Not verifying the server certificate makes
it possible to have man in the middle attacks. Or did I misunderstood
something?

(In reply to comment #11)
> (In reply to comment #10)
> > Kalle, are any changes considered for Fremantle (or Harmattan) or is this
> > realistically speaking a WONTFIX?
> 
> I haven't heard anything about this.
> 
> But isn't this a huge security risk? Not verifying the server certificate makes
> it possible to have man in the middle attacks. Or did I misunderstood
> something?
> 

According to our networking team, no.  I do not need to select a certificate
nor install one with my linux laptop, however I do need to get my grubby paws
on the cert for the N800.  The only way I can get the cert is by copying it
from a Mac laptop.  This is somewhat painful as there are only two in my
department.  Our networking team says a cert is not required to access the
network, no matter how often me and the N800 prove them wrong.

Comment 13 Andre Klapper 2009-05-07 12:12:31 UTC

Juhani, are there plans to handle this for Fremantle too (having bug 1574 in
mind)?

Comment 14 Andre Klapper 2009-07-15 16:22:19 UTC

Juhani, are there plans to handle this for Fremantle too (having bug 1574 in
mind)?

Comment 15 Andre Klapper 2009-08-28 16:03:48 UTC

Juhani, are there plans to handle this for Fremantle too (having bug 1574 in
mind)?

Comment 16 Quim Gil 2009-10-14 08:52:20 UTC

Is this problem still present in Maemo 5?

If so, is it a bug or a enhancement request?

If it's a bug then it needs to be filed in the internal bugzilla. 

If it's an enhancement then let's tag it as such.

Thanks!

Comment 17 Juhani Mäkelä 2009-10-14 17:48:56 UTC

Added Janne Ylälehto as CC. I do not know if this works or not.

Comment 18 Andre Klapper 2009-11-02 17:58:03 UTC

> Is this problem still present in Maemo 5?
Anybody able to test this who already has an N900?

Janne: ping

If Nokia can furnish me with a N900 I can test it.

Comment 20 Janne Ylälehto 2009-11-03 09:18:39 UTC

(In reply to comment #2)
> I have found some info on this issue.  Even if no certificate is passed down
> from networkings stand point, there generally has to be a cert of some sort,
> even expired.  I was able to get a copy of the expired cert off of a Mac
> laptop.  I get an error every time saying the cert is expired, but still
> connect after clicking OK. 
> Unfortunately, I have not been able to locate the cert on either a Linux
> wireless connection nor a Windows laptop.  The only way I have found it so far
> is on a Mac through its certificate manager.

Just to understand this problem better, I'll try to summarize:
You have a network using EAP-PEAP with EAP MSCHAPv2 but the network does not
send server/network certificate at all. Is this correct?

I quickly tried this on my Freeradius server and it does not even start if I
leave the server certificate empty. Do you know the radius server model?

Also from the security point of view not sending server certificate sounds very
risky.

I don't know how it works behind, but on my job's laptop I didn't need to add
any certificate to join on this kind of network (using Window$ XP). Looks like
the authentication is based on Active Directory domain/user/pass.

(In reply to comment #16)
> Is this problem still present in Maemo 5?
> 
> If so, is it a bug or a enhancement request?
> 
> If it's a bug then it needs to be filed in the internal bugzilla. 
> 
> If it's an enhancement then let's tag it as such.
> 
> Thanks!
> 

Still present in Maemo5. I'd say it's a bug, because the way it is now, I can't
connect to the corporate network.

> Still present in Maemo5. I'd say it's a bug, because the way it is now, I can't
> connect to the corporate network.
> 

More to that: even after I install the CA certificate of the company I work
for, can't install my personal certificate and i can't select any certificate
in "Select certificate" dialog. I am sure that the CA certificate is valid
(valid from 19 August 2008 to 19th August 2018) and that "WLAN" purpose was
selected (it even appears so in the certificate manager)

Comment 24 Andre Klapper 2009-11-27 13:13:15 UTC

(In reply to comment #22)
> Still present in Maemo5.

Please always post the exact version that you are using. Thanks :)

(In reply to comment #24)
> (In reply to comment #22)
> > Still present in Maemo5.
> 
> Please always post the exact version that you are using. Thanks :)
> 

The "About product" window in settings shows "Version: 1.2009.42-11".
If it helps, I checked in the logs on the windows server working as AD/radius
server using which the auth on wifi is made, and the username when i tried to
connect looked rather wierd (nearly-random characters).

I managed to get around this issue by adding the connection for this EAP PEAP
MSCHAPV2 network through the "Internet connections" dialog in the window,
specifying the user name as "user@domain" and, in the "Advanced settings"
dialog, on the EAP tab checking the "Use manual user name" (with manual user
name the same as earlier) and making sure that "Require client authentication"
box is not checked :)

Too bad it doesn't work OOTB, but it can be done.

> MSCHAPV2 network through the "Internet connections" dialog in the window,
There should be "in the settings window".

I have this bug too. 
In linux (ubuntu) for connection to our network I am using:
Security: WPA&WPA2 Enterprise
Authentication: PEAP
Anonymous identity: Empty
CA certificate: (None)
PEAP version: Version 0 (Automatic is not working!)
Inner authentication:  MSCHAPv2
Username: xxxxx
Password: ********

In S60v3 for connection to our network I am using:
I was have to manually download and choose certificate.And disable all  PEAP
version except 0

On the n900 I didn't find how to disable PEAP's versions. 
It could be necessary for some networks.

same bug is here: Bug #6101

I have the same issue that prevents me from connecting to my corporate network.
Basically my corporate network does not require server certificate, and I don't
know how and where to get the certificate to install it on my phone.

I resolved this problem for me.
When you try to connect from status bar in network setup is absent button
"Advanced"
For connection I go to: menu/settings/Internet Connections/Connections/New/....
At the end of Connection setup press Advanced/EAP 
Check box Use manual user name
and enter user name.

(In reply to comment #26)
> I managed to get around this issue by adding the connection for this EAP PEAP
> MSCHAPV2 network through the "Internet connections" dialog in the window,
> specifying the user name as "user@domain" and, in the "Advanced settings"
> dialog, on the EAP tab checking the "Use manual user name" (with manual user
> name the same as earlier) and making sure that "Require client authentication"
> box is not checked :)

I can confirm both the problem and the proposed solution (on 42-11).

(In reply to comment #26)
> I managed to get around this issue by adding the connection for this EAP PEAP
> MSCHAPV2 network through the "Internet connections" dialog in the window,
> specifying the user name as "user@domain" and, in the "Advanced settings"
> dialog, on the EAP tab checking the "Use manual user name" (with manual user
> name the same as earlier) and making sure that "Require client authentication"
> box is not checked :)
> 
> Too bad it doesn't work OOTB, but it can be done.
> 



The above allows me to connect on N900 1.2009.42-11.203.2   -   however, it
still prompts about an invalid certificate date.

"Certificate not currently valid. Check date and time settings.
servername.example.net               [Done]"

Need an option to ignore this invalid server certificate, else no automatic
connect... Have to press "Done" every time I want the device to connect.

Comment 34 Andre Klapper 2010-01-05 23:29:40 UTC

Also see http://wiki.maemo.org/PEAP%2BMSCHAPv2 .
Do the steps described in that wiki page work for everybody?
Feedback highly welcome!

For me it is work but without domain (username only).....

I also have this problem:

Installed my .ca certificate from my filemanager.
When pressing enter on the xxxxxxx.ca file, i get:
Issued to: XXXX-XXXX-XXXX
Issued by: Selfsigned
Valid from: Monday 14. june 2004
Valid to: Friday 14. june 2019
Fingerprints (SHA1) XXXX XXXX XXXX XXXX XXXX
                   XXXX XXXX XXXX XXXX XXXX
I selected the button : Install

I selected: WLAN

I set-up a new wlan connection and when i try to select sertificate for my WPA
EAP PEAP, no certificates shows up in the drop down box.

Can anyone tell me if i can edit a file to manually insert this certificate
link?

\Borge

(In reply to comment #36)
> I also have this problem:
> 
> Installed my .ca certificate from my filemanager.
> When pressing enter on the xxxxxxx.ca file, i get:
> Issued to: XXXX-XXXX-XXXX
> Issued by: Selfsigned
> Valid from: Monday 14. june 2004
> Valid to: Friday 14. june 2019
> Fingerprints (SHA1) XXXX XXXX XXXX XXXX XXXX
>                    XXXX XXXX XXXX XXXX XXXX
> I selected the button : Install
> 
> I selected: WLAN
> 
> I set-up a new wlan connection and when i try to select sertificate for my WPA
> EAP PEAP, no certificates shows up in the drop down box.
> 
> Can anyone tell me if i can edit a file to manually insert this certificate
> link?
> 
> \Borge
> 
In my case it wasn't shown too.
but if you open "Settings> Certificate manager" you will find it. 
If certificate installed it is automatically used even if "none" in the field. 
Check other field, like in Advance set username again....

Comment 38 Juhani Mäkelä 2010-01-13 15:34:29 UTC

(In reply to comment #37)
> > Installed my .ca certificate from my filemanager.
> > ...
> > I set-up a new wlan connection and when i try to select sertificate 
> > for my WPA EAP PEAP, no certificates shows up in the drop down box.

That's because the certificate you select when making a connection is not a CA
certificate, but a client certificate, which is a different thing. It is
granted to you by the owner of the network you are connecting to, and usually
delievered as a PKCS#12 package that contains the client certificate, its
private key, the CA certificate its trust is based on and optionally one or
more intermediate signing certificates. You can install a PKCS#12 file (usually
.pfx or .p12) by the same way you installed the CA certificate.

But WPA EAP PEAP does not necessarily require a client configuration, it all
depends on how the network is configured. PEAP is a versatile standard with
many different options. Please check your network administrator about the
options.  

> > 
> > Can anyone tell me if i can edit a file to manually insert this certificate
> > link?
> > 
> > \Borge
> > 
> In my case it wasn't shown too.
> but if you open "Settings> Certificate manager" you will find it. 
> If certificate installed it is automatically used even if "none" in the field. 
> Check other field, like in Advance set username again....
>

Comment 39 Juhani Mäkelä 2010-01-13 15:38:27 UTC

(In reply to comment #38)
> But WPA EAP PEAP does not necessarily require a client configuration,

"a client certificate" I ment, sorry. Also...

> > > Can anyone tell me if i can edit a file to manually insert this certificate
> > > link?

No, you cannot. The certificate stores are protected by signatures so you need
to use either File Manager, the Certificate Manager applet (in PR1.2) or the
cmcli command-line tool to install certificates.

I tried the recommendations/workaround found in comments #26, #31, #34 and #35
-- no joy.

Situation: corporate network.
Tried with "username", "username@ad.domain" and "NTDOMAIN\username"
Nothing works.

N900, Maemo 5, ver. 1.2009.44-1

Windows Domain Controllers on 2003 server R2.

Update on comment #40 above: I upgraded the phone over the weekend to
2.2009.51-1. No difference, I still can't connect using the published
workaround.

I can successfully access the corporate MSCHAPv2 network using the
configuration described here using a manual user name, but it is of limited
value to me bacause of the issue reported in comment #33.  

Manual intervention (Check date and time settings -> press "Done") is required
to reestablish Wi-Fi access every time I come in range of a different access
point with my N900 which is running 2009.51-1.  This happens very frequently
because the building has dozens of access points.  Mail for Exchange sync fails
and the N900 appears to be left in a state of high power drain until I notice
the popup and clear it.  I haven't established a 3G account yet, and don't
expect very good coverage in some parts of the building so Wi-Fi access is very
important to me.

This bug is the only mention that I see of this issue.  Should I open a new
bugzilla for the manual intervention required to roam between MSCHAPv2 access
points?

No you don't need to create new bug for this.
You just should use correct bug for this.
this problem described in bug #3399
and it will be great if you will vote for those bug....


(In reply to comment #42)
> I can successfully access the corporate MSCHAPv2 network using the
> configuration described here using a manual user name, but it is of limited
> value to me bacause of the issue reported in comment #33.  
> 
> Manual intervention (Check date and time settings -> press "Done") is required
> to reestablish Wi-Fi access every time I come in range of a different access
> point with my N900 which is running 2009.51-1.  This happens very frequently
> because the building has dozens of access points.  Mail for Exchange sync fails
> and the N900 appears to be left in a state of high power drain until I notice
> the popup and clear it.  I haven't established a 3G account yet, and don't
> expect very good coverage in some parts of the building so Wi-Fi access is very
> important to me.
> 
> This bug is the only mention that I see of this issue.  Should I open a new
> bugzilla for the manual intervention required to roam between MSCHAPv2 access
> points?
>

Created an attachment (id=2314) [details]
Cisco Ace Log

It seems as if there are a few issues going on here... 

One is that some users will need to go into the advanced tab and set the manual
username.. This behavior is because the N900 eap cleint sends the a hash as
your username unless you manually check that box and add a username.. (That
@domain is dependent on you environment.. 

The second issue.. You need a Cert to attach to your wireless network.. I dot
see any bug here, just need instructions for installing a Cert.

The Third Issue (my case and i am sure many others from reading ) is that the
Nokia does not understand that their is no certificate Authentication in
specific setups.. And or it is using or has a bad certificate that may not be
present in North American Cisco equipment.. I really think that it is that the
N900 is trying to use a certificate when one is not needed.. 

Attached is logs from Cisco Ace... The ace reports...EAP-TLS or PEAP
authentication failed during SSL handshake..in the gui.. and Cisco States this
message is from a missing or bad certificate. Cisco's comment is validate by
the logs file attached. **The Cert in question is not a signed cert for EAP TTL
but rather from the SSL handshaking.

I can do some additional testing or answer question..

Thank.

(From update of attachment 2314 [details])

>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: User-Name=xxxxx
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1400
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=0011.9201.7d30
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=ec9b.5b42.05e7
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: ssid=xxxx
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: Service-Type=1
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=19
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: cisco-nas-port=24330
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=24330
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=xx.xx.xx.x
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: NAS-Identifier=LD0A-LD0-01
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=8
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
>
>AUTH 02/17/2010 16:10:49 I 0143 2012 [PDE]: PolicyMgr::SelectService: context id=4258; no profile was matched - using default (0)
>
>AUTH 02/17/2010 16:10:49 I 5081 2012 Done RQ1152, client 2, status 0
>
>AUTH 02/17/2010 16:10:49 E 5103 1996 AllocateThread returned 6
>
>AUTH 02/17/2010 16:10:49 S 5100 1996     Listening for new TCP connection ------------
>
>AUTH 02/17/2010 16:10:49 A 5086 2032     Worker 6 established conn 430203 with 127.0.0.1:1172
>
>AUTH 02/17/2010 16:10:49 I 5094 2032     Worker 6 processing message 1.
>
>AUTH 02/17/2010 16:10:49 I 5081 2032 Start RQ1005, client 50 (127.0.0.1)
>
>AUTH 02/17/2010 16:10:49 I 5081 2032 Done RQ1005, client 50, status 0
>
>AUTH 02/17/2010 16:10:49 E 5103 1996 AllocateThread returned 7
>
>AUTH 02/17/2010 16:10:49 S 5100 1996     Listening for new TCP connection ------------
>
>AUTH 02/17/2010 16:10:49 A 5086 2036     Worker 7 established conn 430204 with 127.0.0.1:1173
>
>AUTH 02/17/2010 16:10:49 I 5094 2036     Worker 7 processing message 1.
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Start RQ1026, client 50 (127.0.0.1)
>
>AUTH 02/17/2010 16:10:49 I 1554 2036 pvAuthenticateUser: authenticate 'xxxxxx' against Windows Database
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Done RQ1026, client 50, status -2046
>
>AUTH 02/17/2010 16:10:49 I 5094 2036     Worker 7 processing message 2.
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Start RQ1027, client 50 (127.0.0.1)
>
>AUTH 02/17/2010 16:10:49 I 0897 2036 AuthenProcessResponse: process response for 'xxxxxxx'
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Done RQ1027, client 50, status -2046
>
>AUTH 02/17/2010 16:10:49 I 5094 2036     Worker 7 processing message 3.
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Start RQ1027, client 50 (127.0.0.1)
>
>AUTH 02/17/2010 16:10:49 I 0897 2036 AuthenProcessResponse: process response for 'xxxxxxx'
>
>AUTH 02/17/2010 16:10:49 E 0361 2036 EAP: PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL recv alert warning:bad certificate)
>
>AUTH 02/17/2010 16:10:49 E 0361 2036 EAP: PEAP: ProcessResponse: SSL ext error reason: 0 (Ext error code = 0)
>
>AUTH 02/17/2010 16:10:49 I 5081 2036 Done RQ1027, client 50, status -2120
>
>AUTH 02/17/2010 16:10:49 I 5094 2012     Worker 1 processing message 77.
>
>AUTH 02/17/2010 16:10:49 I 5081 2012 Start RQ1040, client 2 (127.0.0.1)
>
>AUTH 02/17/2010 16:10:49 I 5081 2012 Done RQ1040, client 2, status 0
>
>AUTH 02/17/2010 16:11:06 A 5096 2024     Worker 4 error/timeout, forcing API disconnect of connection 430200.
>
>AUTH 02/17/2010 16:11:06 A 5097 2024     Worker 4 closing conn 430200 endpoint. Handled 4 messages.
>
>AUTH 02/17/2010 16:11:06 A 5082 2024     Worker 4 waiting for work
>
>AUTH 02/17/2010 16:11:06 A 5096 2016     Worker 2 error/timeout, forcing API disconnect of connection 430199.
>
>AUTH 02/17/2010 16:11:06 A 5097 2016     Worker 2 closing conn 430199 endpoint. Handled 4 messages.
>
>AUTH 02/17/2010 16:11:06 A 5082 2016     Worker 2 waiting for work
>
>AUTH 02/17/2010 16:11:15 I 0991 1980 pvNASMonitorThreadMain: start NM update ...
>
>AUTH 02/17/2010 16:11:15 A 0000 1980 SL:SP_NMstartTransaction - Failed to start transaction, because previous one is not ended yet
>
>AUTH 02/17/2010 16:11:16 I 5094 2008     Worker 0 processing message 1405.

I just bought new N900 and thought it would solve to age-old problem of EAP
MSCHAP2 on nokia cellphones. (I had the same issue on E71).

Please fix this ASAP.

Thanks,
JP

Comment 47 Andre Klapper 2010-04-21 22:44:15 UTC

(In reply to comment #44)
> It seems as if there are a few issues going on here... 

And that is exactly the problem why there is not and will not be much progress
here. :-/ If you have a clean, separate issue with good information (see
https://bugs.maemo.org/page.cgi?id=bug-writing.html ) and good and totally
exact steps to reproduce feel free to file a new report.

(In reply to comment #46)
> I just bought new N900 and thought it would solve to age-old problem of EAP
> MSCHAP2

"me too" comments don't help anybody and just create useless bugmail that makes
developers not read bugmail. See the backlog how to provide useful information.

I am not sure whether this is related to the certificate issue but I
experienced the same symptoms:  authentication failure.  It was determined that
the username gets encrypted eg.

On N900:  stb/jspies
On the server side: 
"Fully-Qualified-User-Name = STB\RmRCOHfi94emgW5PaNfR0g=="

Created an attachment (id=3224) [details]
log in server with fail

log with succes from a debian and a fail from N900

(In reply to comment #49)
> Created an attachment (id=3224) [details] [details]
> log in server with fail
> 
> log with succes from a debian and a fail from N900

I forgot specific sever data:

W2008 R2

Comment 51 Juhani Mäkelä 2010-12-01 13:24:02 UTC

(In reply to comment #49)
> Created an attachment (id=3224) [details] [details]
> log in server with fail
> log with succes from a debian and a fail from N900

In case you have upgraded to PR1.3, please check out this bug. 

https://bugs.maemo.org/show_bug.cgi?id=11452

There was a nasty regression in it which invalidated some private keys
installed in the device.