Table of Contents
Advertisement
BlackBerry Enterprise Solution
Using certificate-based authentication to protect connections to enterprise Wi-Fi networks
If the BlackBerry Enterprise Server administrator uses PEAP, EAP-TLS, or EAP-TTLS methods to secure the access
points on your enterprise Wi-Fi network, supported Wi-Fi enabled BlackBerry devices must mutually authenticate
with an access point through an authentication server to connect to the enterprise Wi-Fi network. The BlackBerry
Enterprise Server administrator requires a certificate authority server to generate the certificates that the
supported Wi-Fi enabled BlackBerry devices and the RADIUS server will store.
Successful PEAP, EAP-TLS, or EAP-TTLS authentication requires that the supported Wi-Fi enabled BlackBerry
devices trust the certificate of the access authentication server. The certificate binds the authentication server
identity to a public and private key pair. Supported Wi-Fi enabled BlackBerry devices do not automatically trust
the authentication server certificate. For the supported Wi-Fi enabled BlackBerry devices to trust the
authentication server certificates, the following conditions must exist:
•
a certificate authority server that the supported Wi-Fi enabled BlackBerry devices and the authentication
server mutually trust must generate the certificate for the authentication server and the certificate for each
supported Wi-Fi enabled BlackBerry device
•
the root certificate(s) in the certificate chain to which the certificate of the authentication server belongs
must exist on supported Wi-Fi enabled BlackBerry devices that use PEAP, EAP-TLS, or EAP-TTLS
Each BlackBerry device stores a list of explicitly trusted root certificates that certificate authorities have issued.
Caching connection information when using IEEE 802.1X authentication
When using IEEE 802.11i with IEEE 802.1X authentication, the supported Wi-Fi enabled BlackBerry device and the
access point can cache a PMK, which is derived from keying material that the EAP exchange generates. PMK
caching reuses previously established keying material to skip IEEE 802.1x authentication and mutually derive
session keys with an access point to which it is connecting. Use this feature to help reduce the roaming latency
between access points in an enterprise Wi-Fi network environment for the supported Wi-Fi enabled BlackBerry
device.
Using VPNs to protect connections to enterprise Wi-Fi networks
Your organization might use VPNs, including IPSec VPNs, to provide remote BlackBerry device users with secure
access to an enterprise network. A VPN provides a strongly encrypted tunnel between the client device and the
core enterprise network. A VPN differs from the other supported enterprise Wi-Fi network security methods in
that the access point is not involved in data encryption.
An enterprise Wi-Fi VPN solution consists of the following components:
•
a VPN client on the supported Wi-Fi enabled BlackBerry device which the BlackBerry device uses to gain
access to the network
•
a VPN concentrator, which is located on the edge of your organization's enterprise network and acts as the
gateway to that network
When your organization uses a VPN to protect access to the enterprise Wi-Fi network, the enterprise Wi-Fi
network configuration also uses a Wi-Fi authentication or encryption method by default to provide an access-
control mechanism for the enterprise Wi-Fi network itself, and uses VPN to provide the actual secure access
method. In this scenario, the enterprise Wi-Fi network is configured as an untrusted network, and the VPN
concentrator is the only device connected to the enterprise Wi-Fi network.
The VPN client on a supported Wi-Fi enabled BlackBerry device is designed to
•
use strong encryption to authenticate itself with the VPN concentrator
•
create an encrypted tunnel between the supported Wi-Fi enabled BlackBerry device and the VPN
concentrator through which the supported Wi-Fi enabled BlackBerry device and the enterprise network can
route all communication between them
www.blackberry.com
51
Advertisement
Table of Contents
