[pilotmike]

Has anyone been successful getting Enterprise Wi-Fi setup on a 8320/8820 using PEAP security? We have been working with both Cisco and RIM the past several days but have had no luck so far -- cases are still pending from both vendors.

Here is our environment:

WLAN Hardware:
Cisco Wireless LAN Controllers
Cisco Aironet 1000 Series Lightweight Access Points

Authentication/Security:
802.1X to Microsoft IAS RADIUS server (Windows Server 2003 SP1) authenticating against Active Directory (AD)
Authetication-Type: PEAP
EAP-Type: EAP-MSCHAP v2
Server Certificate: CA Signed certificate from VeriSign Class 3 Secure Server CA

We had to load the VeriSign Class 3 Secure Server CA certificate on the BB devices (8320 & 8820), but we have a valid certificate chain and have confirmed the certificates by their serial numbers.

BlackBerry Wi-Fi Device setup:
Security Type: PEAP
Username: <username>
Password: <password>
CA Certificate: VeriSign Class 3 Secure Server CA
Inner link security: EAP-MS-CHAP v2
Server Subject: wifisecurity.example.com
Server SAN: <blank>

Both the 8820 from AT&T and the 8320 from T-Mobile are failing. We are seeing some interesting stuff on the wireless sniffer, but was interested if anyone else has gotten PEAP to work successfully on these devices.

[getmetty]

What does the error say on the BB? (Options - Wi-Fi Connections-Menu-Wi-Fi Diagnostics, change the display mode to Advanced)

Can you share what the IAS log says when it fails?

Are the user's credentials successful when using the same on a laptop?

[pilotmike]

Below is a sample of what we see in the IAS logs for these BlackBerry 8320 and 8820 users. This particular user works fine on a laptop or on a Windows Mobile 6 device (ie: T-Mobile Dash).

User <USER> was denied access.
Fully-Qualified-User-Name = example.com/Users-Developer/<USER>
NAS-IP-Address = 10.123.30.11
NAS-Identifier = WLC-1
Called-Station-Identifier = 00-0B-85-XX-XX-XX:wlan
Calling-Station-Identifier = 00-1C-CC-1C-XX-XX
Client-Friendly-Name = WLC-1
Client-IP-Address = 10.123.30.11
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Authentication - Allow
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

The above info tells me the encrypted password portion of the authentication is not occurring because IAS can not determine the EAP type.

We next turned to a wireless sniffer to compare a Windows XP host with a BlackBerry 8320/8820. The only difference in the authentication process is that the BlackBerry device(s) respond with a SSL/TLS encryption error after the certificate is sent from the RADIUS server. Basically the PEAP process starts, the username get passed, and the IAS (RADIUS) server sends the certificate information for the SSL/TLS encryption. Once the last certificate packet is acked, the BlackBerry responds with SSL/TLS encryption failure and is then DeAuthed from the Access Point.

In the advanced Wi-Fi diagnostic tool on both BlackBerry devices it indicates a W010 Error: Wifi Association Failed.

I am down to two theories as to root cause at this time:

1. BlackBerry 802.1X supplicant problem
2. PEAP Misconfiguraiton on the BlackBerry devices

Another thing we tried was modifying the 'Server Subject' field format on the BlackBerry devices putting the fully qualified subject name of our server certificate (ie: CN=wifisecurity.example.com,OU=IT,O=Company, etc) but no change -- same errors. RIM support has indicated this field only needs to be populated with the hostname on the certificate (ie: wifisecurity.example.com or also known as the certificate "friendly name"). It was worth a shot...

Cisco TAC has also come back after analyzing our logs and sniffer traces and believes, at this time, the issue is with the BlackBerry device(s).

We really wish we could share our findings with some RIM engineers or developers. Someone somewhere knows what is going on or how to collect more detailed debugging information from the BlackBerry 802.1X supplicant.

[pilotmike]

We worked with RIM for several hours yesterday and had a really good customer support rep. RIM has started to ask us good questions, unfortunately, no breakthrough type stuff yet.

Our plan for today is to work with an escalation manager contact at RIM and see if we can get some development or engineering resources (normal customer support reps to not have access to these resources) to at least look at our wireless packet capture. We know that the PEAP process is breaking when the BlackBerry sends back a TLS decrypt error after the certificate is sent from the IAS (RADIUS) Server.

Looks like others in an 802.1X PEAP MS-CHAP v2 WiFi environment are starting to post of problems in other forums too. I knew we could not be the only ones having this issue...

Wi fi conncetion problem with 8820 - RIM BlackBerry Wireless Forums

[wesly]

Hmm. I was able to get both an 8820 and 8320 working on our wifi network at the office. We also use PEAP and radius security. I also had to add a certificate to both bb's b/c the default ones don't match what we are running. That is the only extra thing I had to add. In your setting you indicate a server subject. I don't have anything entered for mine so have you tried eliminating that? Sorry wish I could offer more.

Quote:

Originally Posted by pilotmike

Has anyone been successful getting Enterprise Wi-Fi setup on a 8320/8820 using PEAP security? We have been working with both Cisco and RIM the past several days but have had no luck so far -- cases are still pending from both vendors.

Here is our environment:

WLAN Hardware:
Cisco Wireless LAN Controllers
Cisco Aironet 1000 Series Lightweight Access Points

Authentication/Security:
802.1X to Microsoft IAS RADIUS server (Windows Server 2003 SP1) authenticating against Active Directory (AD)
Authetication-Type: PEAP
EAP-Type: EAP-MSCHAP v2
Server Certificate: CA Signed certificate from VeriSign Class 3 Secure Server CA

We had to load the VeriSign Class 3 Secure Server CA certificate on the BB devices (8320 & 8820), but we have a valid certificate chain and have confirmed the certificates by their serial numbers.

BlackBerry Wi-Fi Device setup:
Security Type: PEAP
Username: <username>
Password: <password>
CA Certificate: VeriSign Class 3 Secure Server CA
Inner link security: EAP-MS-CHAP v2
Server Subject: wifisecurity.example.com
Server SAN: <blank>

Both the 8820 from AT&T and the 8320 from T-Mobile are failing. We are seeing some interesting stuff on the wireless sniffer, but was interested if anyone else has gotten PEAP to work successfully on these devices.

[ixtab]

Wesly, in my case there is no server certificate (none is required by Windows when I connect via my notebook), it seems that the BB does not allow this scenario (PEAP without a certificate) :(

[pilotmike]

We did try blanking the server subject out and we also tried to load the server cert in addition to the intermediate CA cert on the BB, but with no luck.

Still nothing back from the RIM escalation team, but hope to hear something tomorrow...

[pilotmike]

Quote:

Originally Posted by ixtab

Wesly, in my case there is no server certificate (none is required by Windows when I connect via my notebook), it seems that the BB does not allow this scenario (PEAP without a certificate) :(

I was my understanding that PEAP without a certificate was LEAP? Am I wrong about that?

In our environment PEAP uses a server certificate for the password encryption (SSL/TLS) between client and RAIDUS server.

Wi-Fi security is so much "fun"...

[stawBerry]

Im also having problems with this. First of all how do i even get the certification on to the blackberry.
hopefully this gets solved

thanks for your effort

[snapp]

Quote:

Originally Posted by stawBerry

Im also having problems with this. First of all how do i even get the certification on to the blackberry.
hopefully this gets solved

thanks for your effort

I got my 8820 working today. I had to install the certificate on the BB. Once it was there, PEAP worked like a charm.
1. Install desktop manager
2. Make sure you install certificate sync
3. launch BBDM
4. Launch cert sync
5. Choose what cert you need
6. sync them.
7. run through WI-FI setup again and you should be connected!!

[stawBerry]

Thank you i had not installed the cert syn. Now i am just getting w010 failures

[pilotmike]

Sorry for not keeping this thread current but not much progress over the past month. Our case with RIM has been sent on to the senior developers now who are working with some WLAN specific developers. I suspect we have bug in the BB OS because if this were a simple misconfiguration issue we'd not have this case to this level at RIM.

I'll keep everyone posted.

[BlackRabbit]

Hi,

just to let you konw you are not alone with this issue

I am in the same configuration : Cisco - LWAP - IAS Radius - AD
WPA2 - EAP-TLS - PEAP - MS Chap v2
My certificate is a Thawte SGC CA
After uploaded it on my terminal, got the same logs on my radius :
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

Wait news from RIM...

[ashleyneiltaylor]

I had a problem setting up my 8120 today.

We are using PEAP and found that you do indeed require the Intermediate Certificate on your Blackberry and it is this certificate you select for CA Certificate in the options.

Selecting the CARoot certificate did not work.

[BlackRabbit]

Quote:

Originally Posted by ashleyneiltaylor

We are using PEAP and found that you do indeed require the Intermediate Certificate on your Blackberry and it is this certificate you select for CA Certificate in the options.
Selecting the CARoot certificate did not work.

We used the intermediate certificate too, but it doesn't help.

Oh, we use 8820 4.2.2.124 (2.4.0.58)

[ashleyneiltaylor]

We are using Nortel Access Points with IAS. Without the correct certificate, it wouldn't even associate with an AP and you didn't get any logs on the IAS.

Because we don't broadcast our SSID, I have configured it the WLAN configuration on the BES.

Config is as follows

WLAN Link Security EAP-PEAP
WLAN SSID ****WLANNet
WLAN User Name bbwlanuser@*****
WLAN User Password ********
WLAN DHCP Configuration True
WLAN Inner Authentication Mode EAP-MSCHAPV2

The * is to blank at corporate names. All we then had to do was sync the certificates (Intermediate and Root because we use our own Certificate Authority)

Then set the profile to use the intermediate and that's all. If this doesn't work for you, I'd check the APs and Radius settings.

[pilotmike]

We got an update from BlackBerry support on this issue this morning. Their senior development team discovered that the issue is with the signature algorithm that is used on the VeriSign root certificate.

The VeriSign root certificate (VeriSign Class 3 Public Primary CA – in our environment) uses MD2 with RSA encryption for the signature algorithm and MD2 is not supported in any BlackBerry OS at this time.

I think it would be safe to say that if any CA in your cert chain uses md2RSA as a signature algorithm, your authentication would be broken in the BlackBerry OS. (See attachment for sample certificate screenshot)

RIM has logged "bug" in their development tracking system, but so far has not committed a specific BB OS version for the fix.

We'll keep on top of this and keep you all posted.

[Mikef1]

Quote:

Originally Posted by pilotmike

The VeriSign root certificate (VeriSign Class 3 Public Primary CA – in our environment) uses MD2 with RSA encryption for the signature algorithm and MD2 is not supported in any BlackBerry OS at this time.

I think it would be safe to say that if any CA in your cert chain uses md2RSA as a signature algorithm, your authentication would be broken in the BlackBerry OS.

That explains my issue.
Keep us updated!


thanks
Mike

[BlackRabbit]

thanks, same configuration here. Our Thawte certificate is trusted by the same Verisign C3 md2RSA cert...

[Mikef1]

Any word on a resolution to this?


Mike