Administration Guide

Local Navigation

Configuring EAP-FAST authentication

EAP-FAST is an authentication method that was developed by Cisco® Systems. Similar to PEAP authentication, EAP-FAST authentication encrypts EAP transactions within a TLS tunnel. Although PEAP uses a server-side digital certificate to configure the TLS tunnel, EAP-FAST uses a .pac file.

The .pac file that the BlackBerry® devices and the authentication server share contains secret keys that are unique to the BlackBerry devices. The EAP-FAST master key on the authentication server generates the .pac file. EAP-FAST uses the .pac file to open the TLS tunnel and authenticates the user credentials through the TLS tunnel.

Configure EAP-FAST authentication

  1. Distribute the .pac file to the wireless client over a network connection that is designed to be secure using automatic PAC provisioning.
  2. Configure each wireless access point to connect to the access control server and a DHCP server.
  3. Verify that the DHCP server can provide the following information to the wireless client:
    • IP address or network
    • default gateway
    • IP address of the DNS server
  4. Configure the access control server.
After you finish:
  • For information about the automatic provisioning process, see the documentation for your organization’s authentication server.
  • For information about configuring wireless access points, see the documentation for the access points.
  • For information about configuring the access control server, see the documentation for the access control server.

Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
  2. Click Manage Wi-Fi profiles.
  3. Click the name of the Wi-Fi® profile that you want to configure.
  4. Click Edit profile.
  5. In the Wi-Fi profile settings tab, perform the following actions:
    • In the Wi-Fi User Name field, type the user name for PEAP authentication.
    • In the Wi-Fi User Password field, type the password for PEAP authentication.
  6. If required, configure the following configuration settings:
    • Wi-Fi Link Security

    • Wi-Fi Inner Authentication Mode

    • Wi-Fi Hard Token Required

    • Wi-Fi Server Subject

    • Wi-Fi Server SAN

    • Wi-Fi EAP-FAST Provisioning method

    • Wi-Fi Disable Server Certificate Validation

  7. Click Save All.
After you finish:
  • Resend the IT policy that you assign to the user accounts to BlackBerry devices.
  • Distribute the certificates.

Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices

If you do not configure the EAP-FAST configuration settings using the BlackBerry® Administration Service, instruct users to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
  1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
  2. Click the Wi-Fi profile that you want to change.
  3. Click Edit.
  4. In the Security Type list, select EAP-FAST.
  5. Type the user name and password for the messaging server.
  6. In the Inner link security list, click the security type.
  7. If necessary, in the Token list, select the token type.
  8. If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected.
  9. If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically.
  10. If necessary, select the Notify on authentication failure check box.

Was this information helpful? Send us your comments.