Security Technical Overview

Local Navigation

EAP authentication methods that a Wi-Fi enabled device supports

LEAP authentication

LEAP authentication uses the IEEE® 802.1X™ standard and is designed to improve WEP authentication. You can use this authentication method to authenticate a Wi-Fi® enabled BlackBerry® device with an enterprise Wi-Fi network, generate WEP encryption keys that are unique to the BlackBerry device, and configure the enterprise Wi-Fi network to update the WEP encryption keys automatically during a session with the BlackBerry device.

The BlackBerry device supports using LEAP authentication with a user name and password. The BlackBerry device uses a one-way function to encrypt the password before it sends the password to the authentication server on the enterprise Wi-Fi network.

LEAP authentication does not provide mutual authentication between the BlackBerry device and enterprise Wi-Fi network. You can configure password policies on an enterprise Wi-Fi network that require the BlackBerry device to use LEAP authentication to connect to the enterprise Wi-Fi network.

Back To Top

PEAP authentication

PEAP authentication permits a Wi-Fi® enabled BlackBerry® device to authenticate with an authentication server and access an enterprise Wi-Fi network. PEAP authentication uses TLS to create an encrypted tunnel between the BlackBerry device and the authentication server. It uses the TLS tunnel to send the authentication credentials of the BlackBerry device to the authentication server.

The BlackBerry device supports PEAPv0 and PEAPv1 for PEAP authentication. The BlackBerry device also supports EAP-MS-CHAPv2 and EAP-GTC as second-phase protocols during PEAP authentication so that the BlackBerry device can exchange credentials with the enterprise Wi-Fi network.

To configure PEAP authentication, you must install a root certificate on the BlackBerry device that corresponds to the authentication server certificate.

For more information, see the BlackBerry Enterprise Server Administration Guide.

Back To Top

EAP-TLS authentication

EAP-TLS authentication uses a PKI to permit a Wi-Fi® enabled BlackBerry® device to authenticate with an authentication server and access an enterprise Wi-Fi network. EAP-TLS authentication uses TLS to create an encrypted tunnel between the BlackBerry device and the authentication server. EAP-TLS authentication uses the TLS encrypted tunnel and a client certificate to send the credentials of the BlackBerry device to the authentication server.

The BlackBerry device supports EAP-TLS authentication when your organization uses certificates that meet specific requirements on the authentication server and the client for authentication. To configure EAP-TLS authentication, you must install a client certificate and a root certificate on the BlackBerry device that corresponds to the certificate of the authentication server. For more information, see the BlackBerry Enterprise Server Administration Guide.

For more information about EAP-TLS authentication, see RFC 2716.

Back To Top

EAP-TTLS authentication

EAP-TTLS authentication can extend EAP-TLS authentication to permit a Wi-Fi® enabled BlackBerry® device to authenticate with the authentication server and access an enterprise Wi-Fi network. When the authentication server uses its certificate to authenticate with the BlackBerry device and open a protected connection to the BlackBerry device, the authentication server uses an authentication protocol over the protected connection to authenticate the BlackBerry device.

The BlackBerry device supports EAP-MS-CHAPv2 and MS-CHAPv2 as second-phase protocols during EAP-TTLS authentication so that the BlackBerry device can exchange credentials with the enterprise Wi-Fi network.

To configure EAP-TTLS authentication, you must install the root certificate on the BlackBerry device that corresponds to the certificate of the authentication server. For more information, see the BlackBerry Enterprise Server Administration Guide.

Back To Top

EAP-FAST authentication

EAP-FAST authentication uses PAC to open a TLS connection to a Wi-Fi® enabled BlackBerry® device and verify the supplicant credentials of the BlackBerry device over the TLS connection.

The BlackBerry device supports EAP-MS-CHAPv2 and EAP-GTC as second-phase protocols during EAP-FAST authentication so that the BlackBerry device can exchange authentication credentials with the enterprise Wi-Fi network. The BlackBerry device supports using automatic PAC provisioning with EAP-FAST authentication only.

For more information about EAP-FAST authentication, see RFC 4851.

Back To Top

EAP-SIM authentication

EAP-SIM authentication uses a GSM® SIM card to authenticate a Wi-Fi® enabled BlackBerry® device with an enterprise Wi-Fi network and distribute session keys. EAP-SIM authentication uses a challenge-response method without mutual authentication.

The BlackBerry device supports using EAP-SIM authentication with the credentials on the GSM SIM card only. The user is not required to type or select credentials on the BlackBerry device.

The user identity that EAP-SIM uses for authentication on the BlackBerry device is built from IMSI using the 3GPP® technical specification 3GPP-TS-23.003.

The BlackBerry device can receive at least two challenges from the authentication server to provide stronger authentication.

For more information about EAP-SIM authentication, see RFC 4186.

Back To Top

Was this information helpful? Send us your comments.