Administration Guide

Local Navigation

Configuring EAP-TTLS authentication

If your organization implements EAP-TTLS authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to an authentication server so that they can connect to the enterprise Wi-Fi network.

EAP-TTLS authentication requires that BlackBerry devices trust the authentication server certificate. To trust the authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the authentication server certificate.

Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. BlackBerry devices that use EAP-TTLS authentication require the root certificate for the certificate authority that created the authentication server certificate.

To distribute the root certificate to BlackBerry devices, you can use the certificate synchronization tool in BlackBerry® Desktop Manager or you can enroll the certificate over the wireless network.

For more information about how the BlackBerry® Enterprise Solution supports EAP-TTLS authentication, see the BlackBerry Enterprise Server Security Technical Overview.

Configure EAP-TTLS authentication data for BlackBerry devices using a Wi-Fi profile

  1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
  2. Click Manage Wi-Fi profiles.
  3. Click the name of the Wi-Fi® profile that you want to change.
  4. Click Edit profile.
  5. On the Wi-Fi profile settings tab, perform the following actions:
    • In the Wi-Fi User Name field, type the user name for EAP-TTLS authentication.
    • In the Wi-Fi User Password field, type the password for EAP-TTLS authentication.
  6. If required, configure the following configuration settings:
    • Wi-Fi Link Security
    • Wi-Fi Hard Token Required
    • Wi-Fi Server Subject
    • Wi-Fi Server SAN
    • Wi-Fi Disable Server Certificate Validation
  7. Click Save All.
After you finish:
  • Resend the IT policy that you assign to the user accounts to Wi-Fi enabled BlackBerry devices.
  • Distribute the certificates.

Configure EAP-TTLS configuration settings in the Wi-Fi profile on a BlackBerry device

If you do not configure the EAP-TTLS configuration settings using the BlackBerry® Administration Service, instruct a user to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.
  1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
  2. Click the Wi-Fi profile that you want to change.
  3. Click Edit.
  4. In the Security Type list, select EAP-TTLS.
  5. Type the user name and password for the messaging server.
  6. In the CA certificate list, click the root certificate for the certificate authority that created the authentication server certificate.
  7. In the Inner link security type list, select EAP-MS-CHAPv2.
  8. If necessary, in the Server subject field, type the server name in the server certificate, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication.
  9. If necessary, in the Server SAN field, type the alternative name for the server, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication.
  10. If your organization use dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected.
  11. Verify that the Allow inter-access point handover option is selected.
  12. If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically.
  13. Verify that the Allow inter-access point handover option is selected.
  14. If necessary, select the Notify on authentication failure check box.

Was this information helpful? Send us your comments.