Installation guide
BlackBerry Enterprise Solution 52
the authentication server certificate. For the supported Wi-Fi enabled BlackBerry devices to trust the
authentication server certificates, the following conditions must exist:
• a certificate authority server that the supported Wi-Fi enabled BlackBerry devices and the authentication
server mutually trust must generate the certificate for the authentication server and the certificate for each
supported Wi-Fi enabled BlackBerry device
• the root certificate(s) in the certificate chain to which the certificate of the authentication server belongs
must exist on supported Wi-Fi enabled BlackBerry devices that use PEAP, EAP-TLS, or EAP-TTLS
Each BlackBerry device stores a list of explicitly trusted root certificates that certificate authorities have issued.
Caching connection information when using IEEE 802.1X authentication
When using IEEE 802.11i with IEEE 802.1X authentication, the supported Wi-Fi enabled BlackBerry device and the
access point can cache a PMK, which is derived from keying material that the EAP exchange generates. PMK
caching reuses previously established keying material to skip IEEE 802.1x authentication and mutually derive
session keys with an access point to which it is connecting. Use this feature to help reduce the roaming latency
between access points in an enterprise Wi-Fi network environment for the supported Wi-Fi enabled BlackBerry
device.
Using VPNs to protect connections to enterprise Wi-Fi networks
Your organization might use VPNs, including IPSec VPNs, to provide remote BlackBerry device users with secure
access to an enterprise network. A VPN provides a strongly encrypted tunnel between the client device and the
core enterprise network. A VPN differs from the other supported enterprise Wi-Fi network security methods in
that the access point is not involved in data encryption.
An enterprise Wi-Fi VPN solution consists of the following components:
• a VPN client on the supported Wi-Fi enabled BlackBerry device which the BlackBerry device uses to gain
access to the network
• a VPN concentrator, which is located on the edge of your organization’s enterprise network and acts as the
gateway to that network
When your organization uses a VPN to protect access to the enterprise Wi-Fi network, the enterprise Wi-Fi
network configuration also uses a Wi-Fi authentication or encryption method by default to provide an access-
control mechanism for the enterprise Wi-Fi network itself, and uses VPN to provide the actual secure access
method. In this scenario, the enterprise Wi-Fi network is configured as an untrusted network, and the VPN
concentrator is the only device connected to the enterprise Wi-Fi network.
The VPN client on a supported Wi-Fi enabled BlackBerry device is designed to
• use strong encryption to authenticate itself with the VPN concentrator
• create an encrypted tunnel between the supported Wi-Fi enabled BlackBerry device and the VPN
concentrator through which the supported Wi-Fi enabled BlackBerry device and the enterprise network can
route all communication between them
Using enterprise captive portals to protect connections to enterprise Wi-Fi networks or Wi-
Fi hotspots
A captive portal is a web-based authentication mechanism to permit access to an enterprise Wi-Fi network or Wi-
Fi hotspot. Supported Wi-Fi enabled BlackBerry devices can use a captive portal to gain access to an IP filtered
segment of the enterprise Wi-Fi network or hotspot. After using a captive portal to connect to an enterprise
network or hotspot, the user can send a browser request for a website from the supported Wi-Fi enabled
BlackBerry device to an HTML login page, which allows the enterprise Wi-Fi network or hotspot to authenticate
the BlackBerry device before permitting it access to the website.
If your organization has an enterprise captive portal, the BlackBerry Enterprise Server administrator can permit
users to access the captive portal using the WLAN Login application on the BlackBerry device. BlackBerry device
www.blackberry.com