[madhatter2]

My school has a network with the following requirements a device has to satisfy:

• Security Type: WPA-Enterprise
• Encryption Type: TKIP
• Authentication Method: PEAP
o EAP-MSCHAPv2

Sadly, I have no clue what this all is about. However, trying to connect with my BB, other than my username and password, the BB asks me for a:

-CA certificate
-Inner link security (this should be EAP-MSCHAPv2)
-Token
-Server Subject
-Server SAN

Since I only know my username and password, I have failed to connect. Somehow, my gut feeling is that all this should be pretty standard, I can't imagine my school has some extraordinary encryption skills, I don't work for NASA after all.

However, a T-Mobile agent just told me on the phone that "BB 8320 doesn't support connectivity with WPA-Enterprise networks, but only for small home networks" Is this true?

I really don't know what to do at this point. I did a search and saw another thread with a similar problem, but being a total newbie I can't figure out what is the right thing to do. Unfortunately, people in my schools IT dept are clueless too, hidden behind the claim that they don't provide individual support for all handheld devices...

Any help, please?

[John Clark]

For that type of security there is usually a certificate on your computer that you need to sync via Desktop Manager. When you install Desktop Manager you will need to install it with Certificate Sync support and you'll need to know which certificate on your computer is the one from your schools's network.

Once sync'd then you can choose that certificate when setting up the wifi network. On my work network I leave token, server subject and server SAN blank.

[madhatter2]

Thanks John! Problem is that I have more basic issues, being a macintosh user. I can't even get to install the "Blackberry user tools" on my mac desktop...


PS So, is what the T-Mobile agent told me incorrect?? If yes, how can they give out such information to people?

[John Clark]

I don't know if PocketMac (sync software for Mac) will sync certificates. I don't think it will. The 8320 does support wpa for enterprise networks. I use the same method at my work that you are trying to use, and it works fine for me.

[squeakr]

My school has the same sort of set up. Try manually configuring the network on your BB by going into wifi setup and selectiing manual configure network. Then input the ssid and then select either LEAP or PEAP as the security level in the drop down box. Then continue onto the next screens and input your user id and password and try the connection. I have the same sort of cryptic setup at my school and went through this with the IT guys and they told me it to use either PEAP or LEAP. They tried first with PEAP and it didn't work, but then retried with LEAP and it went through and connected quickly. The IT guys hadn't had many requests like this before (so yours might not be too helpful, but I know one of the guys who had done it and he helped me). Just try what I have suggested and see if it works, it did for me and required no certificate loading through a PC, this enabled the certificate to be grabbed OTA as I specifically asked if I should get a certificate and download through the computer to the BB to which he stated the BB had the appropriate credentials to be able to grab the certificate OTA and the computer load wouldn't b necessary (we use the same sort of secondary tunneling at my school as well).

Hope this works for you as it has taken me a few months to find the answers and it finally worked for me. Good luck.

[John Clark]

If a certificate is not required from your PC then the above should work for you. Good advice from squeakr!

[madhatter2]

Quote:

Originally Posted by squeakr

My school has the same sort of set up. Try manually configuring the network on your BB by going into wifi setup and selectiing manual configure network. Then input the ssid and then select either LEAP or PEAP as the security level in the drop down box. Then continue onto the next screens and input your user id and password and try the connection. I have the same sort of cryptic setup at my school and went through this with the IT guys and they told me it to use either PEAP or LEAP. They tried first with PEAP and it didn't work, but then retried with LEAP and it went through and connected quickly. The IT guys hadn't had many requests like this before (so yours might not be too helpful, but I know one of the guys who had done it and he helped me). Just try what I have suggested and see if it works, it did for me and required no certificate loading through a PC, this enabled the certificate to be grabbed OTA as I specifically asked if I should get a certificate and download through the computer to the BB to which he stated the BB had the appropriate credentials to be able to grab the certificate OTA and the computer load wouldn't b necessary (we use the same sort of secondary tunneling at my school as well).

Hope this works for you as it has taken me a few months to find the answers and it finally worked for me. Good luck.

Thanks squeakr, I appreciate. Unfortunately, it didn't work for me. Neither with LEAP nor with PEAP.

The IT guys at my school claim that if in the dropdown list (PEAP, LEAP,...) there was an option like "No authentication" I should go for that and could bypass the certificate issue. His argument was that they don't require any kind of certificate when a Win XP PC is about to connect to their network (they drop the certificate requirement). Please, don't quote me on that, I have heard many cray things during those last days, so with my little knowledge I can't understand how one can have a WPA-Enterprise network and at the same time drop certificates...

[squeakr]

I was playing with setups today trying to crack the work account and once an account already exists (meaning anything set up on the device and saved, not necessarily the correct account and settings, as long as you have a correct user name, password, and valid SSID for the access point that you are trying to connect to) you can go back into wifi options, highlight the network, hit the menu key and select the edit option to edit the choices. I selected the PEAP option and the it went to another screen and it gave me the optin to select the "no option" for the certificate for both the primary (as well as an automatic option which you could try) and secondary token and that I believe is what your IT guy was talking about. I believe what he was saying is that on some networks the computer initially connects without security and then once the user is verified as a valid user, it issues the secondary token and grabs this as the certification that your network uses to gain authorization (this allows them to have both an open public option) and a secure access point using the same access point by just changing your access option. I know that is the basic way that my school system is setup for authorization. Sorry I couldn't be of that much help but this may be an option to try and pursue. Once again, good luck.

[ashleyneiltaylor]

If it doesn't use a certificate it is LEAP. If it is PEAP, it will require a certificate.

[Wiggz]

Hi Guys

I have an 8820 and have the same setup within my organisation. We use Active directory to issue Certificates (both workstation, and user). These certificates authenticate with a radius server. I've only recently gotten involved in this level ofnetwork, so I'm a bit shaky on it.

I've tried PEAP, but as I only have the User certificate (as my BB cannot request a workstation certificate) it isn't working. I get a PEAP connection error (something like, PEAP is not a supported protocol on this network), which I believe is actually just shrouding the fact that I dont have a workstation authentication.

Anyone got any ideas what I can do about this?

Thanks