Table of Contents
Advertisement
BlackBerry Enterprise Solution
Appendix H: Enterprise Wi-Fi security methods that the BlackBerry device
supports
EAP authentication methods that the BlackBerry device supports
The BlackBerry device supports EAP authentication methods with protected WLAN networks only.
Authentication method
LEAP
PEAP
EAP-TLS
©
2009 Research In Motion Limited. All rights reserved.
Description
Cisco® developed LEAP in response
to the weaknesses identified in WEP.
LEAP uses the IEEE 802.1x
authentication framework.
LEAP is designed to significantly
improve on basic WEP security by
providing authentication between
the enterprise Wi-Fi network device
and the enterprise Wi-Fi network,
per-client dynamic generation of
WEP keys, and automatic WEP key
updates throughout the course of a
session on the enterprise Wi-Fi
network device.
PEAP is an open standard jointly
developed by Microsoft Corporation,
RSA Security, and Cisco Systems,
Inc. PEAP allows for supplicant
authentication with an
authentication server by
•
creating an encrypted tunnel
between the supplicant and the
authentication server using TLS
•
using the TLS tunnel to send the
supplicant authentication
credentials to the
authentication server
EAP-TLS is defined in RFC 2716. It
uses a PKI to enable supplicant
authentication with an
authentication server by
•
using the TLS protocol to create
an encrypted tunnel between
the supplicant and the
authentication server
•
using the TLS encrypted tunnel
and a client certificate to send
authentication credentials to
the authentication server
BlackBerry device implementation
The BlackBerry device supports LEAP
authentication based on a user name and
password. The BlackBerry device uses a
one-way function to encrypt passwords
before sending them to the
authentication server.
LEAP does not provide mutual
authentication between the BlackBerry
device and the enterprise Wi-Fi network.
Set strong password policies on networks
that use LEAP.
The BlackBerry device supports the
following versions of PEAP:
•
PEAPv0
•
PEAPv1
The BlackBerry device supports EAP-MS-
CHAPv2 and EAP-GTC as second-phase
protocols that the BlackBerry device can
use with PEAP for the authentication
credential exchange.
A root certificate corresponding to the
server certificate that the authentication
server uses must exist on the BlackBerry
device for PEAP authentication to
complete successfully.
The Wi-Fi enabled BlackBerry device
supports EAP-TLS using certificates that
meet specific requirements on both the
server and the client for successful
authentication.
The root certificates of the
authentication server certificate and the
client certificate must exist on the Wi-Fi
enabled BlackBerry device for EAP-TLS
authentication to complete successfully.
www.blackberry.com
83
Advertisement
Table of Contents
