User guide

Wi-Fi network or Wi-Fi hotspot. After the BlackBerry device connects to the enterprise Wi-Fi network or Wi-Fi hotspot, the
user can browse to an HTML login page for a web site that permits the enterprise Wi-Fi network or Wi-Fi hotspot to
authenticate with the BlackBerry device before the BlackBerry device can access the web site.
If your organization uses a captive portal, you can permit a user to access the captive portal using the WLAN Login browser
on the BlackBerry device. The user must authenticate with the WLAN Login browser using the login information that you
provide.
When the BlackBerry device authenticates with the captive portal, the user can use the BlackBerry Browser on the
BlackBerry device to access other web sites and data services that are available on the enterprise Wi-Fi network or Wi-Fi
hotspot.
Protecting a connection between a Wi-Fi
enabled device and an enterprise Wi-Fi
network using RSA SecurID
You can use software tokens to provide layer 2 authentication or layer 3 authentication on a Wi-Fi enabled BlackBerry
device. When you configure a software token for a user, the device is designed to use the passcode to authenticate the user
to the Wi-Fi network using PEAP authentication, EAP-GTC authentication, EAP-FAST authentication, EAP-TTLS
authentication, or a VPN.
The RSA SecurID Library on the device permits the device to periodically generate token codes for a software token. The
device imports a seed, which consists of random data, and uses the seed to initialize the software token algorithm. The
software token algorithm generates token codes on the device.
An RSAadministrator can use RSA Authentication Manager 6.1 or later to configure an optional password to encrypt the
seed. The RSA SecurID library on the device can decrypt the seed using the optional password. The RSA SecurID library
uses code signing to help prevent third-party applications from changing or reading the information that the
RSA SecurID
library stores on the device.
When the user opens a Wi-Fi connection or VPN connection that requires two-factor authentication on the device, the
device prompts the user to type the software token PIN. The RSA SecurID Library adds the software token PIN to the
beginning of the current token code to create a passcode that the device uses in the two-factor authentication process.
BlackBerry transport layer encryption is designed to protect the seed when the BlackBerry Enterprise Server sends it over
the transport layer. The device uses Research In Motion proprietary protocols that are designed to be highly secure to
perform all communication necessary to retrieve the seed on behalf of the RSA SecurID Library.
Security Technical Overview Wi-Fi enabled devices
151