James- Looks like we got it. The Verisign Intermediate Cert was the key, needed tp pull that down from Verisign, and then evidently anything chained to it is OK. Thanks very much for the excellent screenshots as well.
-Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of James J J Hooper Sent: Saturday, February 21, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: > Lee H Badman wrote: >> Wondering if anyone has gone down this road... according to >> >> http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1. 6_STO.pdf >> >> >> >> the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- >> which does not require a client-side cert. And even though you can tell >> the device not to verify server cert, this has nothing to do with the >> fact that the Blackberry seemingly demands a cert or won't even let you >> go on (certainly not the first handheld to act like this). This is a >> client device, so I don't have the luxury of playing with it very much, >> and so looking to glom onto anyone else's success if you may have >> figured out how to work past this. We have multiple auth servers as >> well, which may or may not complicate it. >> >> >> >> >> >> I know these EAP types are not "standards" and device manufacturers >> have freedom to implement as they see fit. > > > Hi Lee, > Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: > http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blac kberry/ I had more of a think .... the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.