Security Technical Overview

Local Navigation

IEEE 802.1X standard

The IEEE® 802.1X™ standard defines a generic authentication framework that a Wi-Fi® enabled BlackBerry® device and an enterprise Wi-Fi network can use to authenticate with each other.

The IEEE 802.1X standard uses EAP authentication methods to provide mutual authentication between the BlackBerry device and enterprise Wi-Fi network. To act as a Wi-Fi supplicant, the BlackBerry device uses EAP authentication methods that are specified in RFC 3748 and that meet the requirements of RFC 4017. The BlackBerry device uses an EAP authentication method (for example, EAP-TLS, EAP-TTLS, EAP-FAST, or PEAP) and credentials to provide mutual authentication with the enterprise Wi-Fi network, as defined in the WPA™-Enterprise and WPA2™-Enterprise specifications.

Caching a PMK when using the IEEE 802.1X standard

When a Wi-Fi® enabled device (such as a computer or BlackBerry® device) uses the IEEE® 802.11i™ standard with the IEEE® 802.1X™ standard, the key exchange that occurs during EAP authentication generates keying material. A Wi-Fi enabled device and a wireless access point use the keying material when they create the PMK.

A Wi-Fi enabled BlackBerry device and an access point can cache the PMK. The PMK caching process reuses previously generated keying material to skip EAP authentication during subsequent connections and permits the BlackBerry device and an access point to generate session keys. PMK caching helps reduce the roaming latency for the BlackBerry device between access points in an enterprise Wi-Fi network.

Back To Top

Process flow: Authenticating a Wi-Fi enabled device with an enterprise Wi-Fi network using the IEEE 802.1X standard

If you configured a wireless access point to use the IEEE® 802.1X™ standard, the access point permits communication using EAP authentication only. This process flow assumes that you configured a Wi-Fi® enabled BlackBerry® device to use an EAP authentication method to communicate with the access point.

  1. The Wi-Fi enabled device associates itself with the access point that you configured to use the IEEE 802.1X standard. The device sends its credentials (typically a user name and password) to the access point.
  2. The access point sends the credentials to the authentication server.
  3. The authentication server performs the following actions:
    1. authenticates the device on behalf of the access point
    2. instructs the access point to permit access to the enterprise Wi-Fi network
    3. sends Wi-Fi credentials to the device to permit it to authenticate with the access point
  4. The access point and device use EAPoL-Key messages to generate encryption keys (for example, WEP, TKIP, or AES-CCMP, depending on the EAP authentication method that the device uses).

    When the device sends EAPoL messages, the device uses the encryption and integrity requirements that the EAP authentication method specifies. When the device sends EAPoL-Key messages, the device uses the ARC4 algorithm or AES algorithm to provide integrity and encryption.

After the access point and device generate the encryption key, the device can access the enterprise Wi-Fi network.

Back To Top
Previous topic: PSK protocol

Was this information helpful? Send us your comments.