I sporadically use my Windows Mobile 6.5 phone (Sprint TouchPro2) with the University WiFi network (which is 802.11i authenticated: uses 802.1x switching and PEAP/MSCHAPv2 auth), probably less frequently that I flash a new ROM onto the phone.
The last year or so, I’ve occasionally failed repeatedly to authenticate with my AD user account for wireless: the device almost instantly returns me to the username/password prompt after I enter my correct password. Oddly, none of these auth attempts are logged at the radius AAA server (was IAS, now Windows 2008 using Network Policy Server). Today I finally figured out why:
I have a personal SSL certificate I use for digitally signing email (Startcom free personal SSL certificate) which normally gets installed on the device after I’ve flashed a new ROM, and been on WiFi to sync stuff back intot he device. I tell the WM WiFi supplicant to save my login/password – so I’m good for up to 90 days.
When it comes time, and I change my AD password, the phone prompts me for new password for wireless – but goes into the prompt again, again, again, failure. It *seems* that the Windows Mobile supplicant is prompting me for PEAP credentials, but perhaps is sending my SSL certificate as a EAP-TLS response, which our wireless controller accepts but our Radius (NPS) server isn’t configured to accept.
A good argument for implementing PKI with personal certificates… but my temporary work-around is to delete my private key/personal cert from the Windows Mobile certificate store, login to WiFi and have the supplicant save my password, then reinstall the cert/private key and go for another 90 days.