Administration Guide

Local Navigation

Configuring PEAP authentication

If your organization implements PEAP authentication, Wi-Fi® enabled BlackBerry® devices must authenticate to an authentication server before they can connect to the enterprise Wi-Fi network.

PEAP authentication requires that BlackBerry devices trust the authentication server certificate. To trust the authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the certificate for the authentication server.

Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. BlackBerry devices that use PEAP authentication require the root certificate for the certificate authority that issued the certificate.

To distribute the root certificate to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry® Desktop Manager. You must configure a Wi-Fi profile to provide the user name and password for authentication.

For more information about how the BlackBerry® Enterprise Solution supports PEAP authentication, see the BlackBerry Enterprise Server Security Technical Overview.

Configure PEAP authentication data for BlackBerry devices using a Wi-Fi profile

  1. In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
  2. Click Manage Wi-Fi profiles.
  3. Click the name of the Wi-Fi® profile that you want to configure.
  4. Click Edit profile.
  5. On the Wi-Fi profile settings tab, perform the following actions:
    • In the Wi-Fi User Name field, type the user name for PEAP authentication.
    • In the Wi-Fi User Password field, type the password for PEAP authentication.
  6. If necessary, on the Wi-Fi profile settings tab, configure the following configuration settings:
    • Wi-Fi Link Security
    • Wi-Fi Hard Token Required
    • Wi-Fi Server Subject
    • Wi-Fi Server SAN
    • Wi-Fi Disable Server Certificate Validation
  7. Click Save All.
After you finish:
  • Resend the IT policy that you assign to the user accounts to BlackBerry devices.
  • Distribute the certificates.

Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager

  • Using a public or private certificate authority, obtain or generate a digital certificate for the authentication server. The root.der certificate file is stored in the location where the certificate was created. For example, the authentication server stores a self-signed certificate locally.
  • Configure each wireless access point as a client of the authentication server. You must use the same authentication version on clients and servers. For more information, see the documentation for the access points.
  • Use the certificate management features of Microsoft® Active Directory® to download the root certificate from the certificate authority server to the computer.

Distribute a certificate using the BlackBerry Desktop Manager

If a BlackBerry® device requires the root certificate for the certificate authority, a client certificate, or both, you can distribute the certificates using BlackBerry® Desktop Manager. The BlackBerry device can add the certificates to the list of explicitly trusted certificate authority certificates or the list of client certificates.
  1. On the user’s computer, right-click the certificate. Click Install certificate.
  2. Click Next.
  3. Click Place all certificates in the following store.
  4. Click Browse.
  5. Perform one of the following actions:
    • If you are distributing a root certificate, click Trusted Root Certification Authorities.
    • If you are distributing a client certficate, click Personal
  6. Click OK.
  7. Click Finish.
  8. In the Security Warning dialog box, click Yes.
  9. Connect the BlackBerry device to the BlackBerry Desktop Manager.
  10. In the BlackBerry Desktop Manager, select the Certificate Synch tool.
  11. Type a password that you can use as the keystore password.
  12. Perform one of the following actions:
    • If you are distributing a root certificate, on the Root Certificates tab, select the certificate that you add to the certificate list on the BlackBerry device.
    • If you are distributing a client certificate, on the Personal tab, select the certificate that you want to add to the certificate list on the BlackBerry device.

Users cannot find the certificate synchronization tool in the BlackBerry Desktop Manager

Possible cause

The certificate synchronization tool was not installed when the user installed the BlackBerry® Desktop Manager.

Possible solution

Instruct the user to re-install the BlackBerry Desktop Manager using the custom installation option. During the custom installation process, the user can install the certificate synchronization tool.

Configure PEAP configuration settings in the Wi-Fi profile on a BlackBerry device

If you do not configure the PEAP configuration settings using the BlackBerry® Administration Service, instruct users to configure the settings in the Wi-Fi® profile on the BlackBerry device.
  1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
  2. Click the Wi-Fi profile that you want to configure.
  3. Click Edit.
  4. In the Security Type list, select PEAP.
  5. Type the user name and password for the messaging server.
  6. In the CA certificate list, click the certificate for the authentication server.
  7. Select the Inner link security type.
  8. If your organization does not use EAP-MS-CHAPv2, if necesssary, in the Token list, select the token type.
  9. If necesssary, in the Server subject field, type the server name in the server certificate, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication.
  10. If necesssary, in the Server SAN field, type the alternative name for the server, in URL format (for example, server1.domain.com or server1.domain.net). If you leave the field blank, the BlackBerry device skips over it during server authentication.
  11. If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected.
  12. Verify that the Allow inter-access point handover option is selected.
  13. If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically.
  14. If necesssary, select the Notify on authentication failure check box.
  15. If necesssary, select the VPN profile.

Was this information helpful? Send us your comments.