[Camarones]

My office WLAN is set up as follows:

Cisco AP-1200 b/g
802.1x via PEAP, WPA TKIP, MS-CHAPv2.
I do not require client certificates, and windows clients do not require a server certificate.

I set up my 8320 as follows:

Security Type: PEAP
username: I tried username, and domain\username
password: my password
CA Certificate: None Selected (also tried selecting a random one)
Inner Link Security: EAP-MSCHAP-V2
Token: None Selected
Server subject: I have no idea what this is
Server SAN: I have no idea what this is...

It doesn't work. All my other clients are configured similarly but the BB won't connect and it claims "incorrect credentials". The AP's log merely states invalid authentication. There is no entry in the IAS server, because this seems to be hanging up at the authentication between the client and AP radios, not actual USER authentication. It seems like I need to be able to specify WPA-TKIP in addition to PEAP, but I don't seem to be able to do so....

Any hints?

[iamstuffed]

You probably need to use the Certificate Sync to transfer the appropriate .cer certificate file to your Blackberry. I had to do the same thing to get mine to login correctly with the work wireless.

[GT5L]

Quote:

Originally Posted by iamstuffed

You probably need to use the Certificate Sync to transfer the appropriate .cer certificate file to your Blackberry. I had to do the same thing to get mine to login correctly with the work wireless.

and how does one find the certificate for their router to install on the BB?

[Camarones]

What I meant to communicate in my first post is that my 802.1x implementation does not require a server or client certificate. It works fine with windows clients, you just don't configure that portion of the wireless settings. Apparently the Blackberry requires it??

[GT5L]

Wirelessly posted (BlackBerry8320/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100)

Oh I understood you and I have the same exact problem I was wondering if the second poster could elaborate some more he seem to have it working

[GT5L]

have you resolved this problem?

[GT5L]

I figured out a solution, I set up the BB to connect using LEAP instead of PEAP and it works just fine. I am shocked and happy at the same time.

[extremeboozer]

You are the man!

[Camarones]

Quote:

Originally Posted by GT5L

I figured out a solution, I set up the BB to connect using LEAP instead of PEAP and it works just fine. I am shocked and happy at the same time.

Does your AP have multiple SSID's set up? For example one SSID for PEAP and another for LEAP? AFAIK LEAP is proprietary to Cisco AP's (which I don't really care about since I have a Cisco AP1200 in the office).

[Jon H]

I'm having the exact same issue as the topic starter:

Device: BlackBerry 8820
Network:
WPA Enterprise
802.1x through PEAP, using EAP-MS-CHAP v2 with password based authentication
However, no certificate is required.

It seems like the blackberry is attempting to authenticate the certificate anyway... which I'm not quite sure what to do about because there's no "do not verify certificate" like there is in Windows/Linux (wpasupplication)

Our AP is not broadcasting another/same SSID with LEAP -- so the above suggested isn't working for me.


I think these topics are related:
PEAP using the same with a certificate has issues:
http://www.blackberryforums.com/wifi...p-support.html

Possibly the same issue on the ATT forums:
Re: Wi fi conncetion problem with 8820 - RIM BlackBerry - Wireless Forums from AT&T



Any further ideas?

[rivviepop]

Quote:

Originally Posted by Jon H

Any further ideas?

I thought of one -- have you (y'all) tried going to Options -> Security -> TLS, and changing it from 'Proxy' to 'Handheld' ? I forget exactly why I have to do that on mine (I just remember I do ) but it solves some connection issue. It might not apply in any way here, but it can't hurt to mess with it...

[Jon H]

Quote:

Originally Posted by rivviepop

I thought of one -- have you (y'all) tried going to Options -> Security -> TLS, and changing it from 'Proxy' to 'Handheld' ? I forget exactly why I have to do that on mine (I just remember I do ) but it solves some connection issue. It might not apply in any way here, but it can't hurt to mess with it...

Good thought -- but not working here. I think it just might be an issue with the supplicant that needs a developer fix. =(

[ixtab]

I have exactly the same problem (with similar configuration), it is a client of mine so I can't really bother their IT with setup/test request/questions

The LEAP workaround is not working for me either.

Did anyone get their IT to contact RIMM for suggestions? Obviously the carrier won't care much but a BES admin with WiFi users might get better treatment directly from RIMM.

Thanks!
Ix.

[Camarones]

Still no resolution for me. I even went so far as to add my domain controller's certificate via the certificate sync plugin for BBDM but even with a valid trusted server certificate installed on the BB, I still cannot get this to work.

The LEAP workaround did not work for me.

The problem appears to be at the association level, not authentication.

[iamstuffed]

When I connected to the wireless network at work, I needed to add the certificate to my Blackberry. What certificate? Whatever certificate was sent when I connected using my Apple MacBook Pro laptop.

I'm not sure if it's the same with yours, but when I connected using my laptop, it asked to verify the certificate, and saved it in my keychain. Maybe with Windows and Linux, it saves it automatically and uses it, even if you do nothing to accept it.

Before transferring the certificate manually, it kept failing and I thought my account was disabled.

Are you absolutely sure no certificate is transferred?

[RyanR]

I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.

Any ideas? Is there a way to get more error information from the phone?

[Camarones]

Quote:

Originally Posted by RyanR

I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.

Any ideas? Is there a way to get more error information from the phone?

I don't know how to get more info than you see on the diagnostic page, but you can ask your IT person to examine the RADIUS server logs for any more hints. In my case RADIUS authentication is failing even though I'm using the same configuration/credentials as used on my laptop.

[stawBerry]

Quote:

Originally Posted by RyanR

I'm having the same problem. My company uses WPA with TKIP. They do require a certificate. I've got the certificate in my phone. I've talked to the IT guy for how to set it up. I've entered the proper user name, password and the certificate they gave me. I get is W010: Wifi Association Failed.

I have the same problem Has anyone gotten this to work?

[ashleyneiltaylor]

Correct me if I'm wrong, but PEAP uses Server side public key certificates in its authentication process because it sets up an SSL tunnel during the authenticaion process. So if you are using PEAP, you must have a certificate on there

When syncronising certificates, you have to manually tick the certificates you want to sync because by default they are switched off.

Perhaps your certificates were pushed by group policy.

You need the trusted root and intermediate certificates.

[Camarones]

Quote:

Originally Posted by ashleyneiltaylor

Correct me if I'm wrong, but PEAP uses Server side public key certificates in its authentication process because it sets up an SSL tunnel during the authenticaion process. So if you are using PEAP, you must have a certificate on there

When syncronising certificates, you have to manually tick the certificates you want to sync because by default they are switched off.

Perhaps your certificates were pushed by group policy.

You need the trusted root and intermediate certificates.

Even if a certificate is required (notice that on windows clients you can disable certificate checking?) I already have the server's root certificate installed and trusted on the BB. There is only one authentication server/certification authority/domain controller in my domain/office, and that is it. Would there even be any intermeditate certificates?