Any good reason why RIM shouldn't have installed the intermediate certificate on its device? Seems like a missing element.
Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Sunday, February 22, 2009 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 Thanks very much, James. I was contemplating which level cert this needed- but hopefully you've given me enough to go on to muddle through. Will let you know how I fare. -Lee -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of James J J Hooper Sent: Sat 2/21/2009 2:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2 James J J Hooper wrote: > Lee H Badman wrote: >> Wondering if anyone has gone down this road. according to >> >> http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_ST O.pdf >> >> >> >> the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- >> which does not require a client-side cert. And even though you can tell >> the device not to verify server cert, this has nothing to do with the >> fact that the Blackberry seemingly demands a cert or won't even let you >> go on (certainly not the first handheld to act like this). This is a >> client device, so I don't have the luxury of playing with it very much, >> and so looking to glom onto anyone else's success if you may have >> figured out how to work past this. We have multiple auth servers as >> well, which may or may not complicate it. >> >> >> >> >> >> I know these EAP types are not "standards" and device manufacturers >> have freedom to implement as they see fit. > > > Hi Lee, > Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: > http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackber ry/ I had more of a think .... the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
