RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
James- Looks like we got it. The Verisign Intermediate Cert was the key, needed tp pull that down from Verisign, and then evidently anything chained to it is OK. Thanks very much for the excellent screenshots as well. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of James J J Hooper Sent: Saturday, February 21, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road... according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1. 6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blac kberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Any good reason why RIM shouldn't have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackber ry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Beats me. These little devices are all over the place in cert-friendliness and EAP implementation, sometimes to the point of being self-defeating. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Tuesday, February 24, 2009 7:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Any good reason why RIM shouldn't have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1. 6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blac kberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
I was handed an 8900 today to see if I could get it working on our WPA/EAP-TTLS/PAP/FreeRadius wireless. I¹m not optimistic, but I let the list know how I make out with that. -- Don Wright Senior Network Engineer Brown University, CIS NTG P Please don't print this e-mail or any other electronic documents unless you really need to. On 2/24/09 7:19 AM, Lee H Badman lhbad...@syr.edu wrote: Beats me. These little devices are all over the place in cert-friendliness and EAP implementation, sometimes to the point of being self-defeating. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Tuesday, February 24, 2009 7:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Any good reason why RIM shouldn¹t have installed the intermediate certificate on its device? Seems like a missing element. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberr y/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road. according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won't even let you go on (certainly not the first handheld to act like this). This is a client device, so I don't have the luxury of playing with it very much, and so looking to glom onto anyone else's success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not standards and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Lee H Badman wrote: Wondering if anyone has gone down this road… according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won’t even let you go on (certainly not the first handheld to act like this). This is a client device, so I don’t have the luxury of playing with it very much, and so looking to glom onto anyone else’s success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not “standards” and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberry/ (OS: 4.3.0.67) -James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
James J J Hooper wrote: Lee H Badman wrote: Wondering if anyone has gone down this road… according to http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_STO.pdf the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- which does not require a client-side cert. And even though you can tell the device not to verify server cert, this has nothing to do with the fact that the Blackberry seemingly demands a cert or won’t even let you go on (certainly not the first handheld to act like this). This is a client device, so I don’t have the luxury of playing with it very much, and so looking to glom onto anyone else’s success if you may have figured out how to work past this. We have multiple auth servers as well, which may or may not complicate it. I know these EAP types are not “standards” and device manufacturers have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.