As far as I understand Windows Phone 8 doesn't support WPA2 Enterprise EAP-TLS authentication. I mean certificate only based authentication.
Is there any third party app which allows such authentication?
I haven't worked anywhere that used WPA2-EAP since the days of WP7, but WP7 did support it. I have a hard time believing that WP8 does not...
However, third-party apps are not going to be the solution here; apps do not have the ability to directly control the network interfaces or implement authentication schemes for the whole phone.
GoodDayToDie said:
I haven't worked anywhere that used WPA2-EAP since the days of WP7, but WP7 did support it. I have a hard time believing that WP8 does not...
Click to expand...
Click to collapse
I remember vaguely using WPA2 EAP-TLS on WP7. But on WP8 I can't find a solution. And googling doesn't help either.
uszu said:
I remember vaguely using WPA2 EAP-TLS on WP7. But on WP8 I can't find a solution. And googling doesn't help either.
Click to expand...
Click to collapse
It should work. I am using WPA2-EAP and doing user authentication against Active Directory. I support server certificate verification and pushed the cert to the domain member PCs through a GPO, but I don't require verification since the cert isn't installed on most users' phones and tablets. I've been able to associate to the access point with my Nokia Lumia 920 using my domain credentials as long as I don't do the server certificate verification.
In EAP-TLS you authenticate with client certificate. According to Joe Belfiore WP8 will not support this feature soon.
See also users voting here for adding this option.
Related
So I've gone through a total of 6 Palm Pre's & Sprint allowed me to choose a different device, so I just picked up a Hero...
The problem is, of course, lack of simple pin & remote wipe support for ActiveSync, so I am unable to use my corporate email on the device. I have tried using TouchDown & that doesn't even work. It seems that my work may have a filter I was told by support for TouchDown(I work for a large technology company, so IT policies are very strict).
My question, is there any way, by rooting or whatnot, to get my device to support ActiveSync fully? Or a way of somehow fooling EAS into thinking I have a simple pin setup & remote wipe available?
I really wanted to start using an Android device, but shoot, if i can't even get my work email on it, its pretty pointless...
Thanks alll!
So I've gone through a total of 6 Palm Pre's & Sprint allowed me to choose a different device, so I just picked up a Hero...
The problem is, of course, lack of simple pin & remote wipe support for ActiveSync, so I am unable to use my corporate email on the device. I have tried using TouchDown & that doesn't even work. It seems that my work may have a filter I was told by support for TouchDown(I work for a large technology company, so IT policies are very strict).
My question, is there any way, by rooting or whatnot, to get my device to support ActiveSync fully? Or a way of somehow fooling EAS into thinking I have a simple pin setup & remote wipe available?
I really wanted to start using an Android device, but shoot, if i can't even get my work email on it, its pretty pointless...
Thanks alll!
Click to expand...
Click to collapse
Thought 2.1 took care of those security issues. Only other option is touchdown in the market, it works with complex security options.
-------------------------------------
Sent via the XDA Tapatalk App
Hello,
Does anybody know of a current solution to connecting to a VPN using RSA SecurID? I know RSA now provides a software for the hardware token which generates token codes, but what I need is an app or a solution that will let me *connect* to the VPN servers using my PIN and the generated token codes.
It would be sad if there's currently no solution, because I can't access most of my work files without getting on the VPN, including my Exchange e-mail.
Any help or ideas would be appreciated.
Bump.
Sent from my GT-P1000 using XDA App
What VPN solution are you using with the SecurID? We're using it here, but not with a VPN solution, just to gain access to Citrix/XenApp servers.
For example, if you're using a Cisco VPN Concentrator, I believe all you'd need is the tun module and the vpnc binaries built for android. Connecting would be a command-line affair, unless someone out there has built a graphical app wrapper like they have for the OpenVPN stuff.
Get the RSA SecurID token software from the market, import your token (using iphone method and paste it in securid), get a robot vpnc http://code.google.com/p/get-a-robot-vpnc/ and tun.ko (posted somewhere in Galaxy Tab forums or build it yourself).
It worked for me for my work VPN.
We're using SecureClient to connect our workstations, so I'm guessing we use Checkpoint VPN. I'm fairly new to VPN, as this is my first job which requires us to use one, so I don't know much about it.
Technomancer said:
Get the RSA SecurID token software from the market, import your token (using iphone method and paste it in securid), get a robot vpnc http://code.google.com/p/get-a-robot-vpnc/ and tun.ko (posted somewhere in Galaxy Tab forums or build it yourself).
It worked for me for my work VPN.
Click to expand...
Click to collapse
Thanks, I'll see what I can do.
Technomancer said:
Get the RSA SecurID token software from the market, import your token (using iphone method and paste it in securid), get a robot vpnc httx://code.google.com/p/get-a-robot-vpnc/[/url] and tun.ko (posted somewhere in Galaxy Tab forums or build it yourself).
It worked for me for my work VPN.
Click to expand...
Click to collapse
Does that client you posted actually have an rsa eap client integrated? I am very curious.
I setup our ISA servers at work to authenticate against RSA servers for two factor. We use keychain tokens. We are using this on pc's deployed with cmak along with an added installed eap client. The vpn also works with the built in eap client included with Apple OS and tested on MAC, IPad, and Iphone.
I'm curious if anyone has found an android vpn client that will allow you to enter your token code.
I've been looking for the same solution myself. . . Got the new Cisco jabber client but of course need to vpn first.
Sent from my GT-P1000 using XDA App
omnia2tester said:
Does that client you posted actually have an rsa eap client integrated? I am very curious.
I setup our ISA servers at work to authenticate against RSA servers for two factor. We use keychain tokens. We are using this on pc's deployed with cmak along with an added installed eap client. The vpn also works with the built in eap client included with Apple OS and tested on MAC, IPad, and Iphone.
I'm curious if anyone has found an android vpn client that will allow you to enter your token code.
Click to expand...
Click to collapse
I know there are software tokens for many of the mobile platforms to generate rsa keys and such. We alsu use RSA for Citrix. However those wont help with vpn.
I too am looking for a vpn client that will leverage the SecureID eap authentication. It would be nice if the Android distribution included a built in client like the Apple IOS does. :-(
Hi Guys,
Did anyone ever get a workaround for this? we're trying to get users to use tablets to VPN into work using IPSec and SecurID tokens without buying anyconnect licenses.
Cheers
The company where i work does not let me sync my note to the office outlook server quoting security issues. When i asked them y, this was their reply "As for Galaxy Note, unfortunately that device does not have all the basic security requirements we would want. The most important of them is that the device does not allow a remote wipe on the device or on the SD card.
Therefore, we are unable to let it connect to our infrastructure.
. I know we have remote admin in all Samsung phones and can use it from Samsung Dive site. Is this feature different from the ones available in Iphones (my office allows iphones and BB to sync )
ravi_buz said:
The company where i work does not let me sync my note to the office outlook server quoting security issues. When i asked them y, this was their reply "As for Galaxy Note, unfortunately that device does not have all the basic security requirements we would want. The most important of them is that the device does not allow a remote wipe on the device or on the SD card.
Therefore, we are unable to let it connect to our infrastructure.
. I know we have remote admin in all Samsung phones and can use it from Samsung Dive site. Is this feature different from the ones available in Iphones (my office allows iphones and BB to sync )
Click to expand...
Click to collapse
Tell your IT guys to get the Good application supported from the market. The ratings of it are bad in market but it works anyways. My company uses it for Android devices which are stock (non rooted). Good app allows the office data to be remote wiped and can even wipe the whole device in case it is lost.
Hope this helps!
I think Samsung Dive provides everything you could want. Alternatively install an antivirus on it - such as Lookout. The premium version will also provide full wipe and disable features.
Do your IT staff know much about Android phones?
This being an mnc they compare the phones to the us version and deny support saying that it sites not meet the required security features. This is so irritating, they won't even let us sync the mail.
Sent from my GT-N7000 using XDA
If they are using Exchange server it will remote an device that connects to it. I don't know about lotus note/domino server tho. Do you know which mail server your work has?
your it dept are twits...they really need to educate themselves better...
kawgirlval69 said:
your it dept are twits...they really need to educate themselves better...
Click to expand...
Click to collapse
As a corporate email admin i totally agree!!
Sent from my GT-N7000 using xda premium
+1 to all the above...
If they're looking for some noted security, Norton mobile (although not the highest signature detection) has full remote wiping services.
Sent from my GT-N7000 using xda premium
We also use the Good for enterprise application here on Android and iOS devices (around 300 of them). It works pretty well.
Android will also sync to an Exchange server via Activesync which should be an encrypted connection, and data can be remote-wiped either by an admin or by the user via OWA. They can also enforce a lock key via a certificate installation.
They are either lazy, incompetent or both. Although, Blackberries _are_ more secure than either an Android or iOS device as the Exchange support is ingrained in the OS rather than as a separate layer.
Get Touchdown from the Market. It respects the Exchange security policies in app, which is really all the Exchange admins need worry about. Upside is that if a wipe command is sent, only Touchdown gets nuked, not your whole phone.
Why the Exchange admins should care about the whole phone is beyond me. Worry about a bad guy running around with corporate data on the device.
None of them think. When i send them the details on how android is also safe they simply forward it to another person. So frustrating.
where do u work if u dont mind telling me. Because im working as Blackberry Support for few company.
Is there anyway of installing an OTA update from a different OTA server? Maybe routing the OTA server's address to a local personal OTA server address and forcing the Chromecast to install a rooted ROM?
Yes, but you have to be rooted to do it.
MadBob said:
Yes, but you have to be rooted to do it.
Click to expand...
Click to collapse
Hence the chicken-and-egg scenario...
The OTA server communication goes through HTTPS, so Chromecast has its security certificate.
If you were to do a MITM attack, you don't have Google's certificate, so the HTTPS request will fail.
It would be easy if you could add your server's certificate to Chromecast.
But that requires having root, which we don't have.
Also, the secure bootloader will only load Google-signed code.
So you'd need to have Google's private key, which nobody but Google has.
Running a custom player app (that runs on Chromecast) to find a vulnerability is challenging too.
In order to run a "custom" player app, you need to sign up to be a Google dev.
The player app will only run for your registered Chromecast(s), not anyone else's.
Adding to that, almost all apps run in a Chrome sandbox.
In order for a player app to run for everybody, it Google has to put it on their whitelist.
Which essentially means even if you were to find a vulnerability, Google would be able to yank your player app almost immediately.
Then Google would patch the exploit and release a new firmware...
Stock Chromecasts auto-update and you can't (yet) choose not to accept the update, so you can't avoid the update while still being able to use Chromecast (this might be possible through router blocking/redirection - not sure).
So what does that leave?
A client-side app that somehow takes advantage of a vulnerability in an existing Chromecast player app or service.
Google would still be able to force the developer to update the app, or they themselves could update the firmware, but at least a client-side app could be available for Chromecasts with builds still vulnerable to it, similar to how FlashCast is available for Chromecasts that still have the vulnerable bootloader.
...and of course the existing FlashCast for those few Chromecasts that still have the vulnerable bootloader.
Wish I was artsy enough to make an infographic, heh.
...
bhiga said:
In order for a player app to run for everybody, it Google has to put it on their whitelist.
Which essentially means even if you were to find a vulnerability, Google would be able to yank your player app almost immediately.
Click to expand...
Click to collapse
You know that fact poses an interesting question....
We already have people redirecting DNS to change location...
How hard would it be to redirect a call to the Whitelist server and redirect it to another that has a Whitelist that is not controlled by Google?
It would have to be done at the router since you can't change it in the CCast without root but it should be possible to redirect the link to some other Whitelist that we could add any app we wanted to it.
Are there any other security checks tat would prevent it? I tend to doubt it as we have been able to download the App list via PC and I'm pretty sure that App list is the main Whitelist (I could be dead wrong here)
Asphyx said:
You know that fact poses an interesting question....
We already have people redirecting DNS to change location...
How hard would it be to redirect a call to the Whitelist server and redirect it to another that has a Whitelist that is not controlled by Google?
It would have to be done at the router since you can't change it in the CCast without root but it should be possible to redirect the link to some other Whitelist that we could add any app we wanted to it.
Are there any other security checks tat would prevent it? I tend to doubt it as we have been able to download the App list via PC and I'm pretty sure that App list is the main Whitelist (I could be dead wrong here)
Click to expand...
Click to collapse
Essentially it's the same problem as redirecting the Google OTA server.
It's HTTPS and therefore requires that Chromecast has the server's certificate, adding the certificate requires root.
I do not believe HTTPS can be redirected in a simple rerouted response manner.
bhiga said:
Essentially it's the same problem as redirecting the Google OTA server.
It's HTTPS and therefore requires that Chromecast has the server's certificate, adding the certificate requires root.
I do not believe HTTPS can be redirected in a simple rerouted response manner.
Click to expand...
Click to collapse
Yes but server certificates are enforced on the server side aren't they?
Perhaps not....
Just to add to @bhiga's excellent explanation: it is actually possible to run a custom web-based player on an unrooted Chromecast, since several whitelisted apps (for example, Google's "TicTacToe" demo app) are served over plain, unencrypted HTTP. That means that a potential root exploit has the ability to load arbitrary HTML/JavaScript on the device. However, this gets us nowhere because of web apps' inherent lack of trust and Google's extensive sandboxing to prevent accidental vulnerabilities (I wrote more on this here).
With regard to the original question, even if we were able to bypass the HTTP certificate checking of the updater, the Chromecast's recovery would still refuse to apply our rooted update since it wouldn't be signed with Google's keys. If this weren't the case, we would simply be able to craft an update file that installed the original, vulnerable bootloader to the device and from there use FlashCast like we do now.
---------- Post added at 05:34 PM ---------- Previous post was at 05:25 PM ----------
Asphyx said:
Yes but server certificates are enforced on the server side aren't they?
Perhaps not....
Click to expand...
Click to collapse
The Chromecast contains a list of trusted certificates for "google.com" locally, and only Google has the private keys which allow them to serve files using those certificates (I'm simplifying quite a bit here; if you're interested in the actual "certificate authority" system used, Wikipedia has a good overview) . We can't modify the trusted certificate list without root, and we can't get root (using any of the methods discussed here, at least) without having the private key to a trusted certificate for "google.com". So it's a chicken-and-egg problem, just like any well-designed security model is. (If you already have the keys to the kingdom, it's easy to do whatever you want. Getting the keys is the hard part.)
tchebb said:
The Chromecast contains a list of trusted certificates for "google.com" locally, and only Google has the private keys which allow them to serve files using those certificates (I'm simplifying quite a bit here; if you're interested in the actual "certificate authority" system used, Wikipedia has a good overview) . We can't modify the trusted certificate list without root, and we can't get root (using any of the methods discussed here, at least) without having the private key to a trusted certificate for "google.com". So it's a chicken-and-egg problem, just like any well-designed security model is. (If you already have the keys to the kingdom, it's easy to do whatever you want. Getting the keys is the hard part.)
Click to expand...
Click to collapse
Thanks. I was under the (false apparently) impression that the Server was the one that did Cert checks not the client and if the client did not have the proper cert the Server could send one or deny sending it data.
But I guess your saying that the CCast will also check to see if the Cert is valid on the server side before it will accept communication.
Which would require a Google Cert on the Server side.
Here is my scenario:
I have several locations that expose resources to over the public network for the purpose of monitoring (cameras, networks, etc.).
I secure access using multiple layers. In addition to the standard user name and login, I also do a reverse DNS check on my firewall to make sure the traffic is coming from either another one of my locations or my mobile phone. To accomplish this on my phone, I would need a dynamic DNS update client for my phone.
I know I can accomplish this by visiting the website and forcing an update, but I would rather have it automated.
Thanks in advance for your help,
Mike
The protocol isn't very complicated, so you could whip up such an app pretty easily if there isn't already one in the store. On the other hand, it's not the kind of thing most people would find useful. Even leaving aside the fact that Dyn just killed their free accounts, it's usually aimed at servers (game servers, remote desktop/ssh servers, VPN servers, home web servers, etc.) and one doesn't generally run a server on their phone.