Administration Guide

Local Navigation

Configuring EAP-TLS authentication

If your organization implements EAP-TLS authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to an authentication server so that they can connect to the enterprise Wi-Fi network.

EAP-TLS authentication requires that BlackBerry devices trust the authentication server certificate and use a client-side certificate as the supplicant credentials. To trust the authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the certificate for the authentication server and the certificate for each BlackBerry device.

BlackBerry devices that use EAP-TLS authentication require a client certificate and the root certificate for the certificate authority server that created the certificate for the authentication server. You can obtain and install both certificates using the same distribution method.

To distribute the certificates to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry® Desktop Manager, or you can enroll the certificate over the wireless network. You must configure a Wi-Fi profile to provide the user name and password for authentication.

For more information about how the BlackBerry® Enterprise Solution supports EAP-TLS authentication, see the BlackBerry Enterprise Server Security Technical Overview.

Configure EAP-TLS authentication data for BlackBerry devices using a Wi-Fi profile

If BlackBerry® users in your organization's environment use BlackBerry® 7270 smartphones, you must configure user names and passwords using IT policy rules instead of configuration settings.

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
  2. Click Manage Wi-Fi profiles.
  3. Click the name of the Wi-Fi® profile that you want to change.
  4. Click Edit profile.
  5. On the Wi-Fi profile settings tab, perform the following actions:
    • In the Wi-Fi User Name field, type the user name for EAP-TLS authentication.
    • In the Wi-Fi User Password field, type the password for EAP-TLS authentication.
  6. If required, configure the following configuration settings:
    • Wi-Fi Link Security
    • Wi-Fi Hard Token Required
    • Wi-Fi Server Subject
    • Wi-Fi Server SAN
    • Wi-Fi Disable Server Certificate Validation
  7. Click Save All.
After you finish:
  • For more information about configuration settings, see the BlackBerry Enterprise Server Policy Reference Guide.
  • Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
  • Distribute the certificates.

Configure EAP-TLS configuration settings in the Wi-Fi profile on a BlackBerry device

If you do not configure the EAP-TLS configuration settings using the BlackBerry® Administration Service, instruct the users to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
  1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
  2. Click the Wi-Fi profile that you want to change.
  3. Click Edit.
  4. If a warning about a VPN profile appears, click OK. EAP-TLS does not require a VPN profile.
  5. In the Security Type list, select EAP-TLS.
  6. Type the user name and password for the messaging server.
  7. In the CA certificate list, click the root certificate for the certificate authority that created the authentication server certificate.
  8. In the Client certificate list, click the user certificate.
  9. If necessary, in the Server subject field, type the server name in the server certificate, in URL format (for example, or If you leave the field blank, the BlackBerry device skips over it during server authentication.
  10. If necessary, in the Server SAN field, type the alternative name for the server, in URL format (for example, or If you leave the field blank, the BlackBerry device skips over it during server authentication.
  11. If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected.
  12. Verify that the Allow inter-access point handover option is selected.
  13. If necessary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically.
  14. If necessary, select the Notify on authentication failure check box.

Was this information helpful? Send us your comments.