Installation guide
BlackBerry Enterprise Solution 50
After an authentication server permits the supported Wi-Fi enabled BlackBerry device to access the enterprise
Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1x EAPoL-Key messages to establish the
WEP, TKIP, or AES-CCMP encryption keys, depending on the EAP method that is set on the BlackBerry device.
After the access point and the supported Wi-Fi enabled BlackBerry device establish encryption keys, the
BlackBerry device has encrypted access to the enterprise Wi-Fi network.
If your enterprise Wi-Fi solution is using one of the supported EAP authentication methods, all of which are
designed to provide mutual authentication between supported Wi-Fi enabled BlackBerry devices and the
enterprise Wi-Fi network, the BlackBerry Enterprise Server administrator can grant and revoke supported Wi-Fi
enabled BlackBerry devices access to the enterprise Wi-Fi network by updating the central authentication server
only. The system administrator does not need to update the configuration of each access point.
Administering enterprise Wi-Fi network solution security using IT policy rules
With the BlackBerry Enterprise Solution, the BlackBerry Enterprise Server administrator can monitor and control
all BlackBerry devices from the BlackBerry Manager using wireless IT commands and IT policy rules. The
enterprise Wi-Fi network solution includes specific IT policy rules for the security of the enterprise Wi-Fi network
solution. The BlackBerry Enterprise Server administrator can turn Wi-Fi access on and off on supported Wi-Fi
enabled BlackBerry devices on BlackBerry Enterprise Server Version 4.1 SP3 or later, and manage WLAN and VPN
settings for individual user accounts on BlackBerry Enterprise Server Version 4.1 SP2 or later.
For more information about using VPN and WLAN IT policy rules and setting configuration profiles to configure
your enterprise Wi-Fi network solution to support Wi-Fi enabled BlackBerry devices, see the BlackBerry
Enterprise Server Wi-Fi Implementation Supplement.
Requiring protected connections to enterprise Wi-Fi networks
Using WEP encryption to protect connections to enterprise Wi-Fi networks
WEP, the oldest, most prevalent form of enterprise Wi-Fi network encryption available, was originally designed to
bring the same level of security to an enterprise Wi-Fi network as is available on a traditional wired LAN. WEP
uses a matching encryption key at both the access point and the wireless client to secure wireless
communication. This key can be 40 bits (for 64-bit WEP) or 104 bits (for 128-bit WEP) in length.
To use WEP, the BlackBerry Enterprise Server administrator must distribute WEP keys to the supported Wi-Fi
enabled devices on your enterprise Wi-Fi network. In the BlackBerry Manager, the BlackBerry Enterprise Server
administrator can define WEP keys for each supported Wi-Fi enabled device using IT policy rules set in an IT
policy that the BlackBerry Enterprise Server sends to the supported Wi-Fi enabled device when the BlackBerry
Enterprise Server activates and registers the supported Wi-Fi enabled device and whenever the BlackBerry
Enterprise Server administrator updates the IT policy thereafter.
By current industry standards, WEP is not a cryptographically strong security solution. Identified WEP
weaknesses include the following scenarios:
• an attacker could capture transmissions over the wireless network and might thereby be able to deduce
WEP keys in very little time
• an attacker might be able to use an undetected man-in-the-middle attack to alter WEP-encrypted packets
Organizations that use WEP as their preliminary security method to moderately limit access to their enterprise
Wi-Fi network might also use a VPN to provide data confidentiality by authenticating and encrypting access to
their core enterprise network, if they are concerned about security.
Using IEEE 802.11i to protect connections to enterprise Wi-Fi networks
IEEE 802.11i defines an enhanced security protocol to protect Wi-Fi networks. It uses the IEEE 802.1X standard
for authentication and key management. The IEEE 802.1x standard defines a generic authentication framework
that enterprise Wi-Fi network client devices and wired or wireless networks can use to authenticate with each
other to permit or prevent the enterprise Wi-Fi network client devices accessing the network. IEEE 802.11i
specifies two Wi-Fi network access control methods: one based on PSKs and one based on IEEE 802.1x, which
uses EAP protocols for authentication.
www.blackberry.com