Specifications

EAP authentication only. This data flow assumes that you configured a device to use an EAP authentication method to

communicate with the access point.

1. The device associates itself with the access point that you configured to use the IEEE 802.1X standard. The device

sends its credentials (typically a username and password) to the access point.

2. The access point sends the credentials to the authentication server.

3. The authentication server performs the following actions:

a Authenticates the device on behalf of the access point

b Instructs the access point to permit access to the work Wi-Fi network

c Sends Wi-Fi credentials to the device to permit it to authenticate with the access point

4. The access point and device use EAPoL-Key messages to generate encryption keys (for example, WEP, TKIP, or AES-

PEAP authentication permits devices to authenticate with an authentication server and access a work Wi-Fi network. PEAP

authentication uses TLS to create an encrypted tunnel between a device and the authentication server. It uses the TLS

tunnel to send the authentication credentials of the device to the authentication server.

Devices support PEAPv0 and PEAPv1 for PEAP authentication. Devices also support EAP-MS-CHAPv2 and EAP-GTC as

second-phase protocols during PEAP authentication so that devices can exchange credentials with the work Wi-Fi network.

To configure PEAP authentication, you must install a root certificate on the device that corresponds to the authentication

server certificate and install client certificates, if required. You can send root certificates to every device and you can use

SCEP to enroll client certificates on devices.

For more information, see the BlackBerry Device Service Advanced Administration Guide.