The great big, super duper ESU/WPA problem

[MarsGuy]

I have just installed the Enterprise Security Update to allow me to connect to my university's secure network.

I have entered the settings that they provide at wireless.ubc.ca:

Network/SSID: ubcsecure (you may have to manually type this in)
Server: secure.wireless.ubc.ca (if there is a mutual authentication option)
Data Encryption Method: TKIP
EAP Type: PEAP
Network Authentication Method: WPA (also sometimes called WPA-PEAP or WPA-RADIUS)

When I try to connect, I get a dialog box that says:

Connection failed - problem verifying the server certificate (2004) Missing valid CA certificate

Anyway, it looks like I need to provide a CA certificate in order to connect and the university says that my device should pull that from the network when it tries to make a connection.

Here is the email that I received from the university's IT support (my emphasis in bold):

It appears that you may need to download the security certificate. In your case, you could try doing it by connecting to WPA on a laptop, somehow finding the certificate and putting it on to your Palm TX. We have no idea how to do this and we don't provide support for this as certificate handling should be automated on the device. The problem that is coming up seems to indicate that it is a device-side problem since the Palm TX isn't able to pull the certificate properly or it isn't able to read security certificates properly.

Two questions:
1 - Why doesn't the ESU software work in the way it is expected here?
2 - How do I go about doing what she is asking me to (since she doesn't know where to actually get the certificate from--see bold part above)?

Anybody have any ideas?

Thanks everybody!

-Ian

[Dick Tracy]

Try this thread.

[MarsGuy]

Unfortunately, nobody in that thread mentions where the certificate comes from. The IT people swear that a well-behaved computer will download it when it tries to connect.

Any ideas out there?

[pharbrian]

Unfortunately, nobody in that thread mentions where the certificate comes from. The IT people swear that a well-behaved computer will download it when it tries to connect.

Any ideas out there?

I had to manually download the CA certificate from my university and install it via the PalmWifiProfileWizard application.
One thing I found when dealing with University tech support... some of them have no idea as to what they are talking about. Ask to speak to someone who impliments the wifi network, or at least ask for someone above the people you have been dealing with.
It shouldn't be a problem to have them provide the CA certificate. You could even try searching your school's website for it. That's how I got mine.

[irfan]

Just had the exact same problem. First things first, look in your schools help pages for help on setting up the wireless for OTHER systems, eg mac or pc. this will maybe mention the certificate you need.

here at OSU they use the Equifax Secure Certificate Authority certificate. This is a pretty generic certificate and was downloadable at:

http://www.geotrust.com/resources/ro...ates/index.asp

hopefully your school uses a similar common certificate.

now if your school uses a unique certificate you will need to log on to the network with a laptop or someone else laptop and do this if its windowsxp:

go to START -> RUN-> "mmc"
then FILE--> ADD/REMOVE SNAP IN
then"Add.." --> "CERTIFICATE"--> "Add" --> FINISH--> OK-->OK
then in the console choose CERTIFICATES and try to find the name of the certificate in those listed folders.

mine was in "TRUSTED ROOT CERTIFICATE AUTHORITIES"--> CERTIFICATES

Find the certificate, RIGHTCLICK --> ALL TASKS --> EXPORT...

export as a .cer, save it to the computer.. if you're on a different computer than the one you hotsync with then email the file to yourself.

in the ESU zip file you downloaded from PALM go to the WIFIPROFILEWIZARD.exe and create a profile with all of the proper parameters you need. For the certificates click add and select the certificate you exported "[name].cer". save the profile to somewhere you can find it.

find the profile on your hard drive "[name].pdb" and double click to add to your hotsync installer. hotsync. this sends it to your palm.. or you can add it to the "palm" folder on a SD card.

On your Palm select the wireless network you are trying to connect to, then configure it.. and choose:

SECURITY: ENTERPRISE
MODE: mode you need , mine is WPA1/WPA2
ENCRYTPION: i use TKIP
Profile: choose the profile you loaded/made in profilewizard. it will be in the drop down list.

The profile will have the certificate and log in information you already filled in when you made the profile, but you may have to re-enter this info somewhere too.

I sent an email to my school telling how to do this .. a little more lengthy and formal tho..because at Ohio State with 50,000 students they had NO support for Palm. I think they may add my suggestions to their help site.

I hope this helps you out, took me a long while to piece together various info to get this to work. All would be easier if the TX would just download a freakin certificate automatically.

[Dred]

irfan,
Your post was a god send. I had already purchased the upgrade thinking it would allow me to connect to our corporate wifi network which uses MSCHAPv2 authorization. Unfortunately, our certificate is distributed in the PKCS #7 format (.P7B extension). This seems to be the only format NOT supported by the profile wizard included by Palm. So I thought I was SOL again.

Using the steps above, I was able to export that certificate in the standard DER encoded X.509 format and everything is working beautifully now. I'm accessing our corporate intranet and running VNC on our linux servers.

[MarsGuy]

Well...I emailed the director of Information Technology at UBC, and he sent me a link to a zip file containing several certificates. In case anyone ever needs the certificate for UBC, it is "Thawte Premium Server CA" and can be downloaded from here:

http://www.thawte.com/roots/

There are several certificates in there, but you only need the one. I will put together some instructions and email them back to the guy in hopes that they post this info. Hopefully the next person with a TX won't have to go through what I did.

[Dick Tracy]

I vote that this thread gets a sticky, very useful information. Thanks irfan and marsguy.

[irfan]

no problem.

i didnt make gold from lead or anything but im glad to hear that tons of time tinkering is helping out other people on this board. Ive gotten a lot of good info from this board and just wanted to give back!

If youve had this problem and the solution here works.. EMAIL IT TO YOUR I.T. DEPARTMENT!!! the last thing we need is people ditching their TXs because they think its unsupported!

take care,
Irfan

[MarsGuy]

Go to:

http://www.it.ubc.ca/wireless/wpa.shtml

and scroll all the way to the bottom of the page. There is now a note about the TX listed there. The cool thing about this is that it contains the instructions that I emailed to the director of IT.

I can't say that they have given it a glowing endorsement, since the little note is enough to scare most people away. Nevertheless, they changed their website because of my experience. And that, to me, is pretty great!