Windows Mobile 6.5 bug with 802.11/PEAP and personal certificates

I sporadically use my Windows Mobile 6.5 phone (Sprint TouchPro2) with the University WiFi network (which is 802.11i authenticated: uses 802.1x switching and PEAP/MSCHAPv2 auth), probably less frequently that I flash a new ROM onto the phone.

The last year or so, I’ve occasionally failed repeatedly to authenticate with my AD user account for wireless: the device almost instantly returns me to the username/password prompt after I enter my correct password.  Oddly, none of these auth attempts are logged at the radius AAA server (was IAS, now Windows 2008 using Network Policy Server).  Today I finally figured out why:

I have a personal SSL certificate I use for digitally signing email (Startcom free personal SSL certificate) which normally gets installed on the device after I’ve flashed a new ROM, and been on WiFi to sync stuff back intot he device.  I tell the WM WiFi supplicant to save my login/password – so I’m good for up to 90 days.

When it comes time, and I change my AD password, the phone prompts me for new password for wireless – but goes into the prompt again, again, again, failure.  It *seems* that the Windows Mobile supplicant is prompting me for PEAP credentials, but perhaps is sending my SSL certificate as a EAP-TLS response, which our wireless controller accepts but our Radius (NPS) server isn’t configured to accept.

A good argument for implementing PKI with personal certificates… but my temporary work-around is to delete my private key/personal cert from the Windows Mobile certificate store, login to WiFi and have the supplicant save my password, then reinstall the cert/private key and go for another 90 days.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply