This mod take a couple of minutes to complete and allows for PEAP wifi connections. Requires root access and ADB knowledge.
I AM NOT RESPONSIBLE FOR ANY ISSUES YOU CREATE WITH THIS. IT IS A ROUGH GUIDE AND WORKS FOR ME. DO AT OWN RISK.
Tutorial For Adding LEAP/PEAP Wifi
1. Open Command prompt window in Windows.
2. Go to your directory that you have Android SDK in.
3. Change directory to Tools. So for eg. C:\Android\Tools
4. Type in adb devices. You should see your device. If not install ADB driver. Google it.
5. Type in adb pull /data/misc/wifi/wpa_supplicant .conf c:\wpa_supplicant.conf
6. This stores wpa_supplicant.conf on your C: drive.
7. Open file with wordpad.
8. Add the following to the files:
for PEAP add this code:
network={
ssid="Your SSID"
key_mgmt=WPA-EAP
identity="Your Username"
password="Your Password"
}
for LEAP use this:
network={
ssid="Your SSID"
scan_ssid=1
key_mgmt=IEEE8021X
auth_alg=OPEN SHARED LEAP
eap=LEAP
identity="Your Identity"
password="Your Password"
}
9. Save the file.
10. Type push c:\wpa_supplicant.conf /data/misc/wifi/wpa_supplicant .conf
11. Now the important part. If you miss this your wifi will not work after reboot.
12. Type adb shell
13. Should get # prompt.
14. Type su.
15. Type cd /data/misc/wifi
16. Type chown 1010 wpa*
17. Type chgrp 1010 wpa*
18. Close command prompt window and enjoy LEAP/PEAP wifi.
What is the difference between the two?
A question that might help the unacknowledged
EAP and LANs
EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i.
EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.
EAP-TTLS (EAP-Tunneled TLS)
Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP.
PEAP (Protected EAP)
Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP.
LEAP (Light EAP, Cisco LEAP)
From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge.
EAP-FAST
(EAP-Flexible Authentication via Secure Tunneling)
Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX).
EAP-SIM (GSM Cellphones)
For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.
Click to expand...
Click to collapse
Source:www.pcmag.com/encyclopedia_term
thanks
Thanks for the help clarifying that for peoples.... its finally great to be able to use the WiFi at school... would be nice to implement it automatically, I can't write the code.... but if anyone would like too it would really add to the community....
Maybe I'm misunderstanding this but i know when i try to use LEAP at school, it already has options and what not for it on my phone, none of this is necessary for me
I know with my school which is (PEAP) you couldn't input a username just a password! so if you are having troubles connecting to a LEAP or PEAP connection this is a way to workaround and get it working. If you can already connect don't worry about it! this is for those who cant connect and get crappy data in class! haha
Does this work with MS-CHAP ? How do I define it?
Thanks!
MS-CHAP already works out of the box. At least I can connect at work with PEAP, MS-CHAPv2. Could be a CM 5 thing though.
Thanks for posting this! while it did not directly solve my problem, it made me redouble my efforts to get on my company's wlan with my N1. I have tried this many times over the years with various phones including UIQ3, WM6 and never got anywhere. I always assumed that there was some sort of certificate or windows domain stuff going on.
So this morning I did a wireshark trace and put my laptops drivers into debug logging to find out how my laptop connects.
A bit of googling for the stuff I found enabled me to get a working supplicant.conf on the third attempt and I am amazed!
Appear to be using WPA2 Enterprise with EAPOL LEAP with CCMP encryption on Cisco access points.
Here is the network part of my wpa_supplicant.conf in case it helps anyone:
network={
ssid="SSID"
scan_ssid=1
key_mgmt=WPA-EAP IEEE8021X
auth_alg=SHARED LEAP
group=CCMP
eap=LEAP
identity="DOMAIN\User"
password="Password"
}
maedox said:
MS-CHAP already works out of the box. At least I can connect at work with PEAP, MS-CHAPv2. Could be a CM 5 thing though.
Click to expand...
Click to collapse
Doesn't work for me on stock rom.
What works for PEAP with MSCHAPv2 in my school is:
network={
ssid="<ssid>"
scan_ssid=1
key_mgmt=IEEE8021X
eap=PEAP
identity="<userid>"
password="<password>"
phase2="auth=MSCHAPV2"
priority=2
}
(Previously posted on my blog at http://zitseng.com/archives/2729)
It works, Thanks!
There's a way of doing that without root access:
code.google.com/p/android/issues/detail?id=1871
Step 16 17
when i type
16. Type chown 1010 wpa*
17. Type chgrp 1010 wpa*
i get the error:
"no such user '1010'"
"chgrp: not found"
what is it mean?
Is there anything I may have done wrong?
tanks
Doesn't work for me for some reason. Do you think having CM6 RC3 would make a difference? Not that I could see it doing so.
I've tried a few of the above suggestions but none work for me
The worst thing is it worked fine before I updated my Nexus One to FroYo!
my current settings for the uni are:
network={
ssid="UoN-secure"
key_mgmt=WPA-EAP IEEE8021X
eap=PEAP
identity="username"
password="password"
phase2="auth=MSCHAPV2"
}
Any help would be appreciated
The problem I am having is that it will not keep the Phase 2 auth - MSCHAPV2 setting when I set it up. Every time I go back into the ssid settings (modify network) it has reverted back to "none". However the information above was pulled from the phone so it obviously is storing the MSCHAPV2 setting, just doesn't seem to be using it!
actually cm6 rc3 should have support for Leap/PEAP i have been using it for a while without this hack.... what type of connection are you trying to connect too?
Hello
I installed 4.1.1 on a MB525 (Defy) according to the honorable post in <http://forum.xda-developers.com/showthread.php?t=1768702> and it works like a charm!
One thing I am missing is: Configuration options for the IMAP account are not as fine granular as in the stock Motorola. Especially I can't configure to an IMAP server supporting the following:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
Means: IMAP with STARTTLS and encrypted (MD5) password
What is supported by the 4.1.1: None, SSL/TLS, SSL/TLS (all certs accepted), STARTTLS, STARTTLS (all certs accepted).
What I would need is STARTTLS with password encryption md5 (automatically detected or fixed configurable).
How could I solve this issue?
Regards
TinL
Q does not seem to be Question
Hello
it does not seem to be an issue for Android 4.1 in general.
Regards
TinL
I chosen a project at security information to find a password from a phone with Android.
I found in password.key from data/system/ a crypto text with 97 characters ,how are generate that crypto text ? Which is the function ?
I need that function to do bruteforce on that password /pin with 4 digits.
I am trying to build a custom ROM for Android that has a built in firewall. In doing this I want to allow my Settings app to block different apps from using mobile data and/or wifi.
My approach so far has been to add new selinux policy rules to allow system level apps to interact with iptables. I have tried multiple different policies, but here is what I currently have.
file_contexts
Code:
/system/bin/iptables u:object_r:iptables_exec:s0
system_app.te
Code:
type iptables_exec;
allow system_app iptables_exec:file { rx_file_perms };
I didn't define a new "domain" for iptables and I wasn't sure if I needed to declare the system_app domain again, or if this would just be appended to that.
Thanks in advance for any help. If anyone has any pointers on where to look to get a better understanding of SELinux inside of android, please let me know.
I initially posted this in the OnePlus Six forum, as this is regarding the stock firmware on my shiny new OnePlus phone. I've received no answer there, and I figured this is probably more of a general Android 8 question, so I'm trying here.....
Much as with previous Android phones, I want to separate the FDE passphrase from my PIN - I want the phone to require a complex password to boot, but a simple PIN for regular use.
I've set a simple PIN right now, but I'm having trouble setting a password for the boot-time check.
The Cryptfs Password app seems to have a syntax issue - it chokes on 'incorrect password' even when I correctly enter the current PIN.
Running from a root-level terminal, I can interact with the encryption system via
Code:
vdc cryptfs [command] [arg] [arg] [arg]
and it gives a response code consisting of several numbers
If I run
Code:
vdc cryptfs verifypw 1234
a response code starting with 200 should indicate that the password is correct. Unfortunately, it returns a 200 code regardless of what password I enter.
The syntax for password changes appears to be
Code:
vdc cryptfs changepw default|password|pin|pattern [currentpassword] default|password|pin|pattern [newpasswd]
but I cannot find any permutation of this command that lets me actually set a password for the FDE.
Any Oreo gurus able to offer any insight?