BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-28-2008, 10:12 PM   #1 (permalink)
New Member
 
Join Date: Jan 2008
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy *WPA2-Enterprise* Too much for my BB 8320? T-Mobile agent says yes!

Please Login to Remove!

My school has a network with the following requirements a device has to satisfy:

Security Type: WPA-Enterprise
Encryption Type: TKIP
Authentication Method: PEAP
o EAP-MSCHAPv2

Sadly, I have no clue what this all is about. However, trying to connect with my BB, other than my username and password, the BB asks me for a:

-CA certificate
-Inner link security (this should be EAP-MSCHAPv2)
-Token
-Server Subject
-Server SAN

Since I only know my username and password, I have failed to connect. Somehow, my gut feeling is that all this should be pretty standard, I can't imagine my school has some extraordinary encryption skills, I don't work for NASA after all.

However, a T-Mobile agent just told me on the phone that "BB 8320 doesn't support connectivity with WPA-Enterprise networks, but only for small home networks" Is this true?

I really don't know what to do at this point. I did a search and saw another thread with a similar problem, but being a total newbie I can't figure out what is the right thing to do. Unfortunately, people in my schools IT dept are clueless too, hidden behind the claim that they don't provide individual support for all handheld devices...

Any help, please?
Offline  
Old 01-28-2008, 10:50 PM   #2 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,679
Post Thanks: 4
Thanked 96 Times in 71 Posts
Default

For that type of security there is usually a certificate on your computer that you need to sync via Desktop Manager. When you install Desktop Manager you will need to install it with Certificate Sync support and you'll need to know which certificate on your computer is the one from your schools's network.

Once sync'd then you can choose that certificate when setting up the wifi network. On my work network I leave token, server subject and server SAN blank.
Offline  
Old 01-28-2008, 11:13 PM   #3 (permalink)
New Member
 
Join Date: Jan 2008
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks John! Problem is that I have more basic issues, being a macintosh user. I can't even get to install the "Blackberry user tools" on my mac desktop...


PS So, is what the T-Mobile agent told me incorrect?? If yes, how can they give out such information to people?

Last edited by madhatter2 : 01-28-2008 at 11:14 PM.
Offline  
Old 01-29-2008, 12:17 AM   #4 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,679
Post Thanks: 4
Thanked 96 Times in 71 Posts
Default

I don't know if PocketMac (sync software for Mac) will sync certificates. I don't think it will. The 8320 does support wpa for enterprise networks. I use the same method at my work that you are trying to use, and it works fine for me.
Offline  
Old 01-29-2008, 09:11 AM   #5 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2007
Model: 8320
PIN: N/A
Carrier: AT&T & T-Mobile
Posts: 26
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

My school has the same sort of set up. Try manually configuring the network on your BB by going into wifi setup and selectiing manual configure network. Then input the ssid and then select either LEAP or PEAP as the security level in the drop down box. Then continue onto the next screens and input your user id and password and try the connection. I have the same sort of cryptic setup at my school and went through this with the IT guys and they told me it to use either PEAP or LEAP. They tried first with PEAP and it didn't work, but then retried with LEAP and it went through and connected quickly. The IT guys hadn't had many requests like this before (so yours might not be too helpful, but I know one of the guys who had done it and he helped me). Just try what I have suggested and see if it works, it did for me and required no certificate loading through a PC, this enabled the certificate to be grabbed OTA as I specifically asked if I should get a certificate and download through the computer to the BB to which he stated the BB had the appropriate credentials to be able to grab the certificate OTA and the computer load wouldn't b necessary (we use the same sort of secondary tunneling at my school as well).

Hope this works for you as it has taken me a few months to find the answers and it finally worked for me. Good luck.

Last edited by squeakr : 01-29-2008 at 02:48 PM.
Offline  
Old 01-29-2008, 09:22 AM   #6 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,679
Post Thanks: 4
Thanked 96 Times in 71 Posts
Default

If a certificate is not required from your PC then the above should work for you. Good advice from squeakr!
Offline  
Old 01-29-2008, 04:10 PM   #7 (permalink)
New Member
 
Join Date: Jan 2008
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by squeakr View Post
My school has the same sort of set up. Try manually configuring the network on your BB by going into wifi setup and selectiing manual configure network. Then input the ssid and then select either LEAP or PEAP as the security level in the drop down box. Then continue onto the next screens and input your user id and password and try the connection. I have the same sort of cryptic setup at my school and went through this with the IT guys and they told me it to use either PEAP or LEAP. They tried first with PEAP and it didn't work, but then retried with LEAP and it went through and connected quickly. The IT guys hadn't had many requests like this before (so yours might not be too helpful, but I know one of the guys who had done it and he helped me). Just try what I have suggested and see if it works, it did for me and required no certificate loading through a PC, this enabled the certificate to be grabbed OTA as I specifically asked if I should get a certificate and download through the computer to the BB to which he stated the BB had the appropriate credentials to be able to grab the certificate OTA and the computer load wouldn't b necessary (we use the same sort of secondary tunneling at my school as well).

Hope this works for you as it has taken me a few months to find the answers and it finally worked for me. Good luck.
Thanks squeakr, I appreciate. Unfortunately, it didn't work for me. Neither with LEAP nor with PEAP.

The IT guys at my school claim that if in the dropdown list (PEAP, LEAP,...) there was an option like "No authentication" I should go for that and could bypass the certificate issue. His argument was that they don't require any kind of certificate when a Win XP PC is about to connect to their network (they drop the certificate requirement). Please, don't quote me on that, I have heard many cray things during those last days, so with my little knowledge I can't understand how one can have a WPA-Enterprise network and at the same time drop certificates...
Offline  
Old 01-30-2008, 07:54 PM   #8 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2007
Model: 8320
PIN: N/A
Carrier: AT&T & T-Mobile
Posts: 26
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I was playing with setups today trying to crack the work account and once an account already exists (meaning anything set up on the device and saved, not necessarily the correct account and settings, as long as you have a correct user name, password, and valid SSID for the access point that you are trying to connect to) you can go back into wifi options, highlight the network, hit the menu key and select the edit option to edit the choices. I selected the PEAP option and the it went to another screen and it gave me the optin to select the "no option" for the certificate for both the primary (as well as an automatic option which you could try) and secondary token and that I believe is what your IT guy was talking about. I believe what he was saying is that on some networks the computer initially connects without security and then once the user is verified as a valid user, it issues the secondary token and grabs this as the certification that your network uses to gain authorization (this allows them to have both an open public option) and a secure access point using the same access point by just changing your access option. I know that is the basic way that my school system is setup for authorization. Sorry I couldn't be of that much help but this may be an option to try and pursue. Once again, good luck.
Offline  
Old 02-01-2008, 07:40 AM   #9 (permalink)
Thumbs Must Hurt
 
ashleyneiltaylor's Avatar
 
Join Date: May 2005
Location: London UK
Model: 9900
OS: 7.1.0.213
Carrier: Vodafone
Posts: 164
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

If it doesn't use a certificate it is LEAP. If it is PEAP, it will require a certificate.
Offline  
Old 02-02-2008, 02:42 PM   #10 (permalink)
New Member
 
Join Date: Jan 2008
Model: 8820
PIN: N/A
Carrier: Orange
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Guys

I have an 8820 and have the same setup within my organisation. We use Active directory to issue Certificates (both workstation, and user). These certificates authenticate with a radius server. I've only recently gotten involved in this level ofnetwork, so I'm a bit shaky on it.

I've tried PEAP, but as I only have the User certificate (as my BB cannot request a workstation certificate) it isn't working. I get a PEAP connection error (something like, PEAP is not a supported protocol on this network), which I believe is actually just shrouding the fact that I dont have a workstation authentication.

Anyone got any ideas what I can do about this?

Thanks
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.