Once you have working Linux or Windows XP clients connected to your
Wifi router via WPA/WPA2 enterprise,
follow these instructions to connect your phone. You will need the
PEM pass phrase or password used to protect the client keys. You will probably
need internet access and a way to get files onto the phones SD card.
1. Setup storage
Setup credential storage password on your droid (settings -> location
& security settings -> use secure cred).
Set storage password cred first in Location & security -> set password.
- credential storage password.....)
The credential password will be needed every time you power up your
phone and in my experience, you are not promoted to enter it when switched
on.
2. Install certs
Convert cacert.pm (signing authority, Trusted Root CA etc)
with http://www.realmb.com/droidCert/
Point output URL into a browser on your phone to install it.
(Note as with WPA supplicant, you don't need the cacert.pem so don't
import it if your getting 'No certificate to install').
Get the user cert/key .p12 file and copy to phones SD card (root folder).
Import this cert with Install from SD card (same menu above).
The password will be the export password.
Give the certificate a meaning full name rather than the garbage proposed in Name the certificate.
3. Install google play free app wifiace (WiFi Advanced Config Editor).
This may not be essential but is included to customise some settings.
4. In settings -> wireless, tap on the WPA/WPA2 enterprise AP and start
the config, particularly the setting for certs.
5. Open up app wifi ace. In enterprise config...
EAP->TLS
Phase2 -> MSCHAPV2
User certificate -> see step 2
identity/anon -> root (or some other username, don't leave
blank but its not fussy what's used).
password -> (certificate export/protection password)
Check client cert/ca cert/priv key have keystore:// in wifi ace
if having problems.
Auth protocol -> seems to default to LEAP.
Guide valid for Android 2.5.3 (gingerbread).
(see, for some more info http://prtl.uhcl.edu/portal/page/portal/UCT/New_UCT/documentation/reap/UHCL-Android-Wireless.pdf
)
Guide
2. Install certs
Get the user cert/key .p12 file and copy to phones/tablet SD card (root folder)
i.e. in /sdcard. This can be done over bluetooth,
mass storage (USB), web over alternative wifi connection.
Import this cert with Install from SD card in settings -> security
-> install from SD card. The certificate file name will
become the user certificate name.
3.Setup wifi. In settings -> Wi-Fi, tap on the 802.1x (WPA/WPA2 enterprise)
AP you wish to connect to.
EAP method->TLS
Phase2 auth -> MSCHAPV2
CA certificate -> unspecified
User certificate -> see step 2
identity/anon -> root (or some other username, don't leave
blank but its not fussy what's used).
password -> certificate password set at create or PEM passphrase
2. Prepare certs.
You need a .p12 file with client cert and client private key
as per previous examples. Unlike the other droids, Android 4.3 needs the CA certificate.
This needs to be taken from your signing authority and converted to binary file with
a .crt extension. In linux, use the command:
openssl x509 -inform PEM -outform DER -in cacert.pem -out CA.crt
where cacert.pem is your certificate authorities certificate.
3. Copy certificates and install
Copy the .p12 cert file and the CA.crt file to the root of the device storage
(ie not external SD card).
In settings -> More -> securtiy, install from device storage. Put in the password when asked.
Credential use in this case will be wifi. Make sure you use meaning full names when
promted. Be aware that the droid deletes the cert files from the root file system once
the are installed so always use copies.
4.Setup wifi. In settings -> Wi-Fi, tap on the 802.1x (WPA/WPA2 enterprise)
AP you wish to connect to.
EAP method->TLS
CA certificate -> see step 3. (CA.crt)
User certificate -> see step 3 (.p12 file)
identity -> root-galaxy-s5 (or some other username, don't leave
blank and avoid @).
no further password or pass phrase is required.
You should be ready to connect and go!
(help from http://android.stackexchange.com/questions/4053/how-do-you-import-ca-certificates-onto-an-android-phone for step 2.)
Troubleshooting/top tips.
Authentication error / TLS Alert read:fatal:bad certificate: - if you get this error message in radius log files,
make sure your new toy droid has correct time and date, otherwise, the certificate validity may fail
since they have a start and end date (not before etc).
surreptitious tags: WPA/WPA2