BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 09-25-2007, 05:41 PM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default 8320, WPA-TKIP, PEAP and no certificate?

Please Login to Remove!

My office WLAN is set up as follows:

Cisco AP-1200 b/g
802.1x via PEAP, WPA TKIP, MS-CHAPv2.
I do not require client certificates, and windows clients do not require a server certificate.

I set up my 8320 as follows:

Security Type: PEAP
username: I tried username, [email address] and domain\username
password: my password
CA Certificate: None Selected (also tried selecting a random one)
Inner Link Security: EAP-MSCHAP-V2
Token: None Selected
Server subject: I have no idea what this is
Server SAN: I have no idea what this is...

It doesn't work. All my other clients are configured similarly but the BB won't connect and it claims "incorrect credentials". The AP's log merely states invalid authentication. There is no entry in the IAS server, because this seems to be hanging up at the authentication between the client and AP radios, not actual USER authentication. It seems like I need to be able to specify WPA-TKIP in addition to PEAP, but I don't seem to be able to do so....

Any hints?
Offline  
Old 09-26-2007, 07:42 AM   #2 (permalink)
New Member
 
Join Date: Sep 2007
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You probably need to use the Certificate Sync to transfer the appropriate .cer certificate file to your Blackberry. I had to do the same thing to get mine to login correctly with the work wireless.
Offline  
Old 09-26-2007, 02:07 PM   #3 (permalink)
CrackBerry Addict
 
GT5L's Avatar
 
Join Date: May 2007
Location: Gainesville, VA
Model: 9800
OS: 6.0.0.246
PIN: askme
Carrier: AT&T
Posts: 758
Post Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by iamstuffed View Post
You probably need to use the Certificate Sync to transfer the appropriate .cer certificate file to your Blackberry. I had to do the same thing to get mine to login correctly with the work wireless.
and how does one find the certificate for their router to install on the BB?
__________________
No More Palm
Offline  
Old 09-26-2007, 07:09 PM   #4 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

What I meant to communicate in my first post is that my 802.1x implementation does not require a server or client certificate. It works fine with windows clients, you just don't configure that portion of the wireless settings. Apparently the Blackberry requires it??
Offline  
Old 09-26-2007, 07:28 PM   #5 (permalink)
CrackBerry Addict
 
GT5L's Avatar
 
Join Date: May 2007
Location: Gainesville, VA
Model: 9800
OS: 6.0.0.246
PIN: askme
Carrier: AT&T
Posts: 758
Post Thanks: 1
Thanked 1 Time in 1 Post
Default

Wirelessly posted (BlackBerry8320/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100)

Oh I understood you and I have the same exact problem I was wondering if the second poster could elaborate some more he seem to have it working
__________________
No More Palm
Offline  
Old 10-02-2007, 10:49 PM   #6 (permalink)
CrackBerry Addict
 
GT5L's Avatar
 
Join Date: May 2007
Location: Gainesville, VA
Model: 9800
OS: 6.0.0.246
PIN: askme
Carrier: AT&T
Posts: 758
Post Thanks: 1
Thanked 1 Time in 1 Post
Default

have you resolved this problem?
__________________
No More Palm
Offline  
Old 10-03-2007, 12:54 PM   #7 (permalink)
CrackBerry Addict
 
GT5L's Avatar
 
Join Date: May 2007
Location: Gainesville, VA
Model: 9800
OS: 6.0.0.246
PIN: askme
Carrier: AT&T
Posts: 758
Post Thanks: 1
Thanked 1 Time in 1 Post
Default

I figured out a solution, I set up the BB to connect using LEAP instead of PEAP and it works just fine. I am shocked and happy at the same time.
__________________
No More Palm
Offline  
Old 10-08-2007, 08:56 AM   #8 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8820
PIN: N/A
Carrier: cingular
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Thanks, this fix worked for me as well!

You are the man!
Offline  
Old 10-09-2007, 01:04 PM   #9 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by GT5L View Post
I figured out a solution, I set up the BB to connect using LEAP instead of PEAP and it works just fine. I am shocked and happy at the same time.
Does your AP have multiple SSID's set up? For example one SSID for PEAP and another for LEAP? AFAIK LEAP is proprietary to Cisco AP's (which I don't really care about since I have a Cisco AP1200 in the office).
Offline  
Old 10-10-2007, 11:48 AM   #10 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8820
PIN: N/A
Carrier: AT&T Mobility
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm having the exact same issue as the topic starter:

Device: BlackBerry 8820
Network:
WPA Enterprise
802.1x through PEAP, using EAP-MS-CHAP v2 with password based authentication
However, no certificate is required.

It seems like the blackberry is attempting to authenticate the certificate anyway... which I'm not quite sure what to do about because there's no "do not verify certificate" like there is in Windows/Linux (wpasupplication)

Our AP is not broadcasting another/same SSID with LEAP -- so the above suggested isn't working for me.


I think these topics are related:
PEAP using the same with a certificate has issues:
8320/8820 Enterprise Wi-Fi PEAP Support

Possibly the same issue on the ATT forums:
Re: Wi fi conncetion problem with 8820 - RIM BlackBerry - Wireless Forums from AT&T



Any further ideas?

Last edited by Jon H : 10-10-2007 at 11:58 AM.
Offline  
Old 10-10-2007, 03:04 PM   #11 (permalink)
BlackBerry Extraordinaire
 
rivviepop's Avatar
 
Join Date: Dec 2006
Location: san francisco
Model: 8320
PIN: n/a
Carrier: t-mobile
Posts: 2,166
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Jon H View Post
Any further ideas?
I thought of one -- have you (y'all) tried going to Options -> Security -> TLS, and changing it from 'Proxy' to 'Handheld' ? I forget exactly why I have to do that on mine (I just remember I do ) but it solves some connection issue. It might not apply in any way here, but it can't hurt to mess with it...
__________________
[ Linux & BlackBerry ] http://www.blackberryforums.com/linux-users-corner/
Offline  
Old 10-11-2007, 10:43 AM   #12 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8820
PIN: N/A
Carrier: AT&T Mobility
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rivviepop View Post
I thought of one -- have you (y'all) tried going to Options -> Security -> TLS, and changing it from 'Proxy' to 'Handheld' ? I forget exactly why I have to do that on mine (I just remember I do ) but it solves some connection issue. It might not apply in any way here, but it can't hurt to mess with it...
Good thought -- but not working here. I think it just might be an issue with the supplicant that needs a developer fix. =(
Offline  
Old 10-11-2007, 12:53 PM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Model: 8820
PIN: N/A
Carrier: at&t
Posts: 116
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have exactly the same problem (with similar configuration), it is a client of mine so I can't really bother their IT with setup/test request/questions

The LEAP workaround is not working for me either.

Did anyone get their IT to contact RIMM for suggestions? Obviously the carrier won't care much but a BES admin with WiFi users might get better treatment directly from RIMM.

Thanks!
Ix.
Offline  
Old 10-12-2007, 01:09 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Still no resolution for me. I even went so far as to add my domain controller's certificate via the certificate sync plugin for BBDM but even with a valid trusted server certificate installed on the BB, I still cannot get this to work.

The LEAP workaround did not work for me.

The problem appears to be at the association level, not authentication.
Offline  
Old 10-20-2007, 08:17 PM   #15 (permalink)
New Member
 
Join Date: Sep 2007
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

When I connected to the wireless network at work, I needed to add the certificate to my Blackberry. What certificate? Whatever certificate was sent when I connected using my Apple MacBook Pro laptop.

I'm not sure if it's the same with yours, but when I connected using my laptop, it asked to verify the certificate, and saved it in my keychain. Maybe with Windows and Linux, it saves it automatically and uses it, even if you do nothing to accept it.

Before transferring the certificate manually, it kept failing and I thought my account was disabled.

Are you absolutely sure no certificate is transferred?
Offline  
Old 11-01-2007, 08:52 AM   #16 (permalink)
New Member
 
Join Date: Nov 2007
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Same Issue

I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.

Any ideas? Is there a way to get more error information from the phone?
Offline  
Old 11-01-2007, 05:13 PM   #17 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by RyanR View Post
I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.

Any ideas? Is there a way to get more error information from the phone?
I don't know how to get more info than you see on the diagnostic page, but you can ask your IT person to examine the RADIUS server logs for any more hints. In my case RADIUS authentication is failing even though I'm using the same configuration/credentials as used on my laptop.
Offline  
Old 11-05-2007, 11:01 PM   #18 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8320
PIN: N/A
Carrier: t-mobile
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by RyanR View Post
I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.
I have the same problem Has anyone gotten this to work?

Last edited by stawBerry : 11-05-2007 at 11:02 PM.
Offline  
Old 11-06-2007, 10:03 AM   #19 (permalink)
Thumbs Must Hurt
 
ashleyneiltaylor's Avatar
 
Join Date: May 2005
Location: London UK
Model: 9900
OS: 7.1.0.213
Carrier: Vodafone
Posts: 164
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Correct me if I'm wrong, but PEAP uses Server side public key certificates in its authentication process because it sets up an SSL tunnel during the authenticaion process. So if you are using PEAP, you must have a certificate on there

When syncronising certificates, you have to manually tick the certificates you want to sync because by default they are switched off.

Perhaps your certificates were pushed by group policy.

You need the trusted root and intermediate certificates.

Last edited by ashleyneiltaylor : 11-06-2007 at 10:04 AM.
Offline  
Old 11-06-2007, 12:22 PM   #20 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: So. California
Model: 8320
OS: 4.5.0.??
Carrier: T-mobile
Posts: 81
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ashleyneiltaylor View Post
Correct me if I'm wrong, but PEAP uses Server side public key certificates in its authentication process because it sets up an SSL tunnel during the authenticaion process. So if you are using PEAP, you must have a certificate on there

When syncronising certificates, you have to manually tick the certificates you want to sync because by default they are switched off.

Perhaps your certificates were pushed by group policy.

You need the trusted root and intermediate certificates.
Even if a certificate is required (notice that on windows clients you can disable certificate checking?) I already have the server's root certificate installed and trusted on the BB. There is only one authentication server/certification authority/domain controller in my domain/office, and that is it. Would there even be any intermeditate certificates?
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.