Professional Documents
Culture Documents
At the time of publication, this documentation supplements the documentation for the following releases:
• BlackBerry Enterprise Server Version 4.1 SP3 or later
• Blackberry Professional Software Version 4.1 SP4 or later
©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType® and related trademarks, names,
and logos are the property of Research In Motion Limited and are registered and/or used as trademarks in the U.S., Canada, and countries
around the world.
Bluetooth is a trademark of Bluetooth SIG. GSM is a trademark of the GSM MOU Association. IBM, DB2, DB2 Universal Database, Domino, and
Lotus are trademarks of International Business Machines Corporation. IEEE, 802.1X, 802.11, 802.11a, 802.11b, 802.11g, and 802.11i are trademarks
of the Institute of Electrical and Electronics Engineers, Inc. Microsoft, Active Directory, and SQL Server are trademarks of Microsoft
Corporation. Novell and GroupWise are trademarks of Novell, Inc. RSA and RSA SecurID are trademarks of RSA Security. Wi-Fi, Wi-Fi Protected
Access, WPA, and WPA2 are trademarks of the Wi-Fi Alliance. All other trademarks are the properties of their respective owners.
The BlackBerry smartphone and other devices and/or associated software are protected by copyright, international treaties, and various
patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460;
D416,256. Other patents are registered or pending in the U.S. and in various countries around the world. Visit www.rim.com/patents for a list of
RIM (as hereinafter defined) patents.
This documentation including all documentation incorporated by reference herein such as documentation provided or made available at
www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee,
representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility
for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and
confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM
reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide
any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services including
components and content such as content protected by copyright and/or third-party web sites (collectively the "Third Party Products and
Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content,
accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products
and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of
the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS,
GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY
CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING
FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE,
OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND
SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE.
SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT
PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT
BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST
ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE
OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE,
HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY
OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED
DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION,
LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR
RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES,
DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES,
COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES,
WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY,
OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT
LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF
ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY
OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL
PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR
SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO
INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT,
DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR
RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service
provider has agreed to support all of their features. Installation or use of Third Party Products and Services with RIM's products and services
may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are
solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If
required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses
have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to
you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by
RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and
subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent
expressly covered by a license or other agreement with RIM.
The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN
THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR
PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop
Software, and/or BlackBerry Device Software and may require additional development or Third Party Products and Services for access to
corporate applications.
This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache
License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software. Unless
required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
limitations under the License.
Research In Motion Limited Research In Motion UK Limited
295 Phillip Street 200 Bath Road
Waterloo, ON N2L 3W8 Slough, Berkshire SL1 3XE
Canada United Kingdom
Published in Canada
Contents
1 Using the Wi-Fi Implementation Supplement.................................................................................................9
Supported environments ................................................................................................................................. 9
Required BlackBerry Enterprise Server documentation ............................................................................. 9
BlackBerry Enterprise Server administrative roles .....................................................................................10
12 Troubleshooting..................................................................................................................................................63
Push settings to the BlackBerry device .......................................................................................................63
Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry device ..........63
Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device...........................................64
Verify that the Wi-Fi connection is turned on.....................................................................................64
View basic diagnostic information on a Wi-Fi enabled BlackBerry device.....................................64
View detailed diagnostic information on a Wi-Fi enabled BlackBerry device ...............................64
Wi-Fi Diagnostics status indicators..............................................................................................................64
Status indicator groups ..........................................................................................................................64
Status indicator states ............................................................................................................................65
Wi-Fi connection status indicators .......................................................................................................65
VPN connection status indicators.........................................................................................................68
UMA/GAN connection status indicators............................................................................................. 70
BlackBerry Infrastructure connection status indicators..................................................................... 71
Enterprise connection status indicators .............................................................................................. 72
Verify whether the BlackBerry device can reach an IP address .............................................................. 72
Resolve a host name to an IP address ......................................................................................................... 73
Glossary............................................................................................................................................................... 95
1
Using the Wi-Fi Implementation Supplement
Required BlackBerry Enterprise Server documentation
BlackBerry Enterprise Server administrative roles
Supported environments
You can use this guide to supplement an installation of either the BlackBerry® Enterprise Server or the
BlackBerry® Professional Software. In this guide, consider BlackBerry® Enterprise Server to mean BlackBerry
Professional Software in the relevant reference information or in the tasks that the BlackBerry Professional
Software supports.
10
2
Technical overview
BlackBerry Enterprise Server architecture overview
Wi-Fi environment overview
Architecture: Options for Mobile and Wi-Fi connections
Architecture components
BlackBerry Enterprise Server process flows
Hotspots
Hotspots offered by an ISP, a mobile network provider, or a property owner can provide a Wi-Fi® connection in
public and semipublic areas. The network is typically an open network without link layer encryption, with a captive
portal for authentication. The captive portal performs the following functions:
• blocks all network traffic except traffic that uses HTTP
• redirects HTTP requests to a login page
After a hotspot user successfully logs in, the captive portal grants the user access to wireless network services.
Hotspots usually have a firewall in place, and they usually allow VPN connections.
12
2: Technical overview
13
Wi-Fi Implementation Supplement
Mobile network
UNC/
Mobile
GANC
network BlackBerry
provider Infrastructure
BlackBerry
Internet
Service
Internet
Personal or hotspot
wireless access
point
Enterprise firewall
Enterprise
Wi-Fi connection Wi-Fi network
Enterprise wireless
access points BlackBerry
Enterprise
Server
Mobile network and Wi-Fi connections
Architecture components
BlackBerry Enterprise Server components
For information about the BlackBerry® Enterprise Server components, see the BlackBerry Enterprise Server
Feature and Technical Overview for your messaging environment. No additional BlackBerry Enterprise Server
components are required for Wi-Fi® enabled BlackBerry devices.
14
2: Technical overview
15
Wi-Fi Implementation Supplement
16
3
Installation and configuration overview
Quick reference
Quick reference
Task Document
Set up your enterprise Wi-Fi® network. • Documentation for your enterprise Wi-Fi
• Verify that your wireless access points comply with the IEEE® 802.11a™, IEEE® network components
802.11b™, or IEEE® 802.11g™ standard, that they allow NAT traversal if you use NAT
in your organization, and that you have addressed the recommendations in your
access point documentation to provide sufficient coverage for the number of Wi-Fi
connections in your environment.
• If necessary, set up the DHCP server.
• If necessary, set up NAT.
Configure security. • Documentation for your security hardware and
software
• BlackBerry Enterprise Solution Security
Technical Overview
Configure the firewall settings. • Security documentation
• Open the required ports, as described in Placing the BlackBerry Enterprise Solution
in a segmented network.
• If you use a proxying firewall, configure the proxy so that it is transparent to users.
• Verify that the BlackBerry® network IP addresses that are relevant to your
environment are permitted addresses.
Configure the ports required for network traffic associated with a Wi-Fi network. • BlackBerry Enterprise Server Wi-Fi
Implementation Supplement
Address hardware, software, operating system, messaging, networking, and database • BlackBerry Enterprise Server Capacity
requirements for the BlackBerry Enterprise Server environment. Calculator
• BlackBerry Enterprise Server Performance
Benchmarking
• BlackBerry Enterprise Server Installation Guide
Install the BlackBerry® Enterprise Server. • BlackBerry Enterprise Server Installation Guide
Verify that the BlackBerry Enterprise Server can connect to the BlackBerry® • BlackBerry Enterprise Server Installation Guide
Infrastructure.
Verify that the enterprise Wi-Fi network can connect to the BlackBerry Router and that • BlackBerry Enterprise Server Installation Guide
the BlackBerry Router is in the DNS server.
Add administrators to roles. • BlackBerry Enterprise Server System
Administration Guide
Add users to the BlackBerry Enterprise Server. • BlackBerry Enterprise Server System
Administration Guide
Wi-Fi Implementation Supplement
Task Document
Configure the WLAN settings and the IT policy settings for Wi-Fi connections. • BlackBerry Enterprise Server Wi-Fi
Implementation Supplement
Manually create a Wi-Fi profile on the BlackBerry device to verify connectivity to the • BlackBerry Enterprise Server Wi-Fi
enterprise Wi-Fi network. Implementation Supplement
Implement BlackBerry devices. • BlackBerry Enterprise Server Wi-Fi
Implementation Supplement
18
4
Configuring security in your environment
Security for Wi-Fi enabled BlackBerry devices
Prerequisites: Configuring layer 2 access security
Prerequisites: Configuring layer 3 VPN access security
Configuring software tokens
Configuring MAC access control lists
Configuring a captive portal
Component Requirement
BlackBerry® Enterprise Server Version • See the BlackBerry Enterprise Server Installation Guide for network operating system
4.0 or later requirements.
• Verify that a local or remote BlackBerry Router is installed.
• Verify that you have configured the required WLAN and VPN settings.
wireless access points • Verify that all access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE®
802.11g™ standard.
access security using the layer 2 method • Verify that you are using one of the supported layer 2 security methods.
Wi-Fi Implementation Supplement
Component Requirement
BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has
access to the DHCP server and the DNS server.
Component Requirement
BlackBerry® Enterprise Server Version • See the BlackBerry Enterprise Server Installation Guide for network operating system
4.0 or later requirements.
• Verify that you have configured the recommended WLAN and VPN settings.
wireless access points • Verify that all access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE®
802.11g™ standard.
VPN access security using IPSec VPN • Verify that a supported VPN concentrator is installed.
BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has
access to the DHCP server and the DNS server.
Related topic
VPN IT policy group
20
4: Configuring security in your environment
You can configure multiple software tokens for a BlackBerry device user. For example, you can configure one
software token for use with Wi-Fi® authentication and a second software token for use with VPN authentication.
When the BlackBerry device user tries to establish a WLAN or VPN connection that requires two-factor
authentication on the BlackBerry device, the BlackBerry device prompts the BlackBerry device user to type the
software token PIN and submit the current tokencode for that connection type to create the passcode for two-
factor authentication.
Component Requirement
BlackBerry® Enterprise Server Version • See the BlackBerry Enterprise Server Installation Guide for network operating system
4.0 or later requirements.
• Verify that you have applied the required WLAN and VPN settings.
wireless access points • Verify that all access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE®
802.11g™ standard.
BlackBerry device • Verify that the BlackBerry device has access to the DHCP server, if you are not using static
IP addresses, and to the DNS server.
captive portal login • Verify that a captive portal for your organization is configured.
• Verify that the WLAN Enable Authentication Page option is set to True to allow users to access
the captive portal using the WLAN Login browser on the BlackBerry device.
21
Wi-Fi Implementation Supplement
22
5
Installing and configuring the BlackBerry
Enterprise Server
Configuring the BlackBerry Enterprise Server environment
Preparing to support Wi-Fi enabled BlackBerry devices
Installing the BlackBerry Enterprise Server
Adding administrators to roles
Novell GroupWise
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Configure required permissions
Server Version 4.0.x IBM® Lotus® Domino® Installation Guide Configure required network protocols
Novell® GroupWise®
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Configuring your environment
Server Version 4.1.x IBM Lotus Domino Installation Guide
Novell GroupWise
Wi-Fi Implementation Supplement
24
5: Installing and configuring the BlackBerry Enterprise Server
Novell GroupWise
25
Wi-Fi Implementation Supplement
26
6
Setting up user accounts on the BlackBerry
Enterprise Server
Setting up user accounts
Adding user accounts
Adding user groups
Customizing organizer data synchronization
Novell GroupWise
Wi-Fi Implementation Supplement
28
7
Configuring WLAN and VPN settings
WLAN and VPN profiles
Configuring WLAN and VPN profiles
Assigning profiles
Managing profiles
Managing WLAN and VPN settings using IT policies
Configuring and assigning IT policies
Configure a Wi-Fi profile manually on the BlackBerry device
Related topic
Using WLAN IT policy rules with a WLAN configuration set
Related topic
Using WLAN IT policy rules with a WLAN configuration set
30
7: Configuring WLAN and VPN settings
Related topic
VPN IT policy group
Related topic
VPN IT policy group
31
Wi-Fi Implementation Supplement
Assigning profiles
Assign a WLAN profile to a user account
You can assign more than one WLAN or VPN profile to a user account.
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the All Users tab, double-click the user account to which you want to assign the profile.
3. In the Properties for the user account, click WLAN Configuration.
4. In the WLAN Configuration Administration section, double-click WLAN Configuration Sets.
5. Click New.
6. In the Select WLAN Base Configuration dialog box, click the WLAN profile that you want to assign.
7. Click OK.
8. Click OK.
9. In the WLAN Configuration Administration section, verify that the correct profile is assigned.
Managing profiles
Change a setting in a WLAN profile
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click WLAN Configuration.
4. In the WLAN Configuration Administration section, double-click WLAN Configuration Sets.
32
7: Configuring WLAN and VPN settings
33
Wi-Fi Implementation Supplement
6. Click Remove.
7. Click Apply.
34
7: Configuring WLAN and VPN settings
Import the IT policy rules in an environment that uses an IBM DB2 Universal Database
1. At the command prompt, type
db2cmd
where <path> is the location of the downloaded IT policy template file, and <ITPolicyTemplateFile.sql> is the
name of the downloaded IT policy template file.
5. At the command prompt, type
db2 disconnect all
35
Wi-Fi Implementation Supplement
5. Click New.
6. Double-click IT Policy Name.
7. Type a name for the new IT policy.
8. From the Policy rule list, add IT policy rules to the IT policy:
• In the left pane, click an IT policy group.
• In the right pane, double-click the IT policy rule to assign a value or to choose between True or False.
9. Click OK.
Configure an IT policy
1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click New.
6. Double-click IT Policy Name.
7. Type a name for the new IT policy.
8. To configure the IT policy rules, perform the following actions:
• In the left pane, click a policy group.
• In the right pane, double-click an IT policy rule.
• Set a value for the IT policy rule.
9. Click OK.
36
7: Configuring WLAN and VPN settings
6. In the right pane, select the IT policy that you want to assign.
7. Click OK.
37
Wi-Fi Implementation Supplement
38
8
Configuring encryption and authentication
methods on the BlackBerry device
Configure WEP encryption
Configure PSK encryption
Using the IEEE 802.1X and EAP authentication framework
Configure LEAP authentication
Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based authentication
Configure PEAP authentication
Configure EAP-TLS authentication
Configure EAP-TTLS authentication
Configure EAP-FAST authentication
For more information about security features, see the BlackBerry Enterprise Solution Security Technical Overview.
Requirement Notes
Obtain the WEP keys for the wireless access For more information, see the documentation for your access points.
point.
Distribute the WEP keys to the Wi-Fi® enabled You can configure the WEP keys either in the default IT policy rules or in the WLAN
BlackBerry® device. configuration settings for the user. The BlackBerry® Enterprise Server sends the WEP key
information during the initial configuration and activation of a new Wi-Fi enabled BlackBerry
device.
The WEP keys on the BlackBerry device must match the WEP keys on the wireless access point.
You can configure four WEP keys and a default key ID. The WEP key numbering on the
BlackBerry device does not match the WEP key numbering in the IT policy for the enterprise
Wi-Fi network. For example, WEP key 1 on the BlackBerry device is WEP key 0 in the IT policy;
WEP key 2 on the BlackBerry device is WEP key 1 in the IT policy. You type or copy the WEP keys
of your access point as a string of hexadecimal digits.
A WEP passphrase is not supported.
Wi-Fi Implementation Supplement
Requirement Notes
Obtain the passphrase for the wireless access For more information, see the documentation for your access point.
point.
Distribute the passphrase for user You can set the passphrase and distribute it to the BlackBerry device using the WLAN
authentication to the Wi-Fi enabled Preshared Key IT policy rule.
BlackBerry device. The passphrase on the BlackBerry device must match the key or passphrase on the wireless
access point.
40
8: Configuring encryption and authentication methods on the BlackBerry device
An IEEE 802.1X framework uses EAP methods to provide authentication. PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST
authentication methods are designed to provide mutual authentication between the BlackBerry device and the
enterprise Wi-Fi network, if required by your organization’s security policy. If you are using PEAP, EAP-TLS, or EAP-
TTLS methods, you require a certificate authority to generate the certificates that each BlackBerry device and the
RADIUS server stores.
When a wireless client first associates itself with an access point that is enabled for IEEE 802.1X security, the only
communication that the access point permits is IEEE 802.1X authentication. Using a negotiated EAP method, the
supplicant on the Wi-Fi enabled BlackBerry device sends its credentials (typically, a BlackBerry device user name
and password) to the access point, which forwards the information to the authentication server. The
authentication server authenticates the BlackBerry device on behalf of the access point and instructs the access
point to permit or prevent access to the enterprise Wi-Fi network.
After an authentication server permits the BlackBerry device to access the enterprise Wi-Fi network, the access
point and the BlackBerry device use IEEE 802.1X EAPOL-key messages to establish the WEP, TKIP, or AES-CCMP
encryption keys, depending on the encryption method that you have configured on your enterprise Wi-Fi network.
After the access point and the BlackBerry device exchange encryption keys, the BlackBerry device has an
encrypted connection to the access point.
When using EAP-TLS, PEAP, or EAP-FAST, the Wi-Fi enabled BlackBerry device and the access point can cache a
PMK, which is derived from keying material that the EAP exchange generates. PMK caching reuses previously
established keying material to skip IEEE 802.1X authentication with an access point to which it is connecting. This
feature helps to reduce the roaming latency between access points in an enterprise Wi-Fi network environment for
the Wi-Fi enabled BlackBerry device.
The BlackBerry device supports the EAP methods LEAP, PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST. If BlackBerry
device users share a single set of EAP credentials, you can set an IT policy to send those credentials to each
BlackBerry device automatically. Because EAP credentials are often unique to each BlackBerry device user, you
can use a per-user IT policy rule or WLAN configuration settings for a specific user to set an EAP method.
Requirement Notes
On the wireless access point, configure the For more information, see the documentation for your access points.
LEAP settings to accept SSID association
requests from users with the credentials that
you specify, or identify the authentication
server used to authenticate user credentials.
Set the user name and password for LEAP The user must type the correct credentials for authentication and receive the session-based
authentication. WEP key.
41
Wi-Fi Implementation Supplement
42
8: Configuring encryption and authentication methods on the BlackBerry device
43
Wi-Fi Implementation Supplement
Requirement Notes
If security settings are not configured by Instruct your users to complete the following tasks:
IT policy, instruct your users to configure the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
security settings in the Wi-Fi® profile on the
2. Click the Wi-Fi profile that you want to configure.
BlackBerry device.
3. Click Edit.
4. Set the Security Type field to PEAP.
5. Type your User name and User password for the messaging server.
6. In the CA certificate list, click the certificate for the authentication server.
7. Select the Inner link security type.
8. In the Token list, select the token type, if applicable. If you use EAP-MS-CHAPv2, you
require only a user name and password and cannot choose a token.
9. Specify the Server subject or Server SAN, or both, if applicable.
The Server subject and Server SAN fields provide additional identification information
from the server certificate (the server name and identifier, or alternative name, in the form
of a URL, such as server1.domain.com or server1.domain.net). If you leave these fields
blank, the BlackBerry device skips them during server authentication.
10. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS
is selected.
11. Verify that Allow inter-access point handover is selected.
12. Select the Prompt before connection check box, if applicable. If you do not select the
check box, the BlackBerry devices automatically connects to an available wireless access
point.
13. Select the Notify on authentication failure check box, if applicable.
14. Choose your VPN profile, if applicable.
44
8: Configuring encryption and authentication methods on the BlackBerry device
45
Wi-Fi Implementation Supplement
Requirement Notes
If security settings are not configured by Instruct your users to complete the following tasks:
IT policy, instruct your users to configure the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
security settings in the Wi-Fi® profile on the
2. Click the Wi-Fi profile that you want to configure.
BlackBerry device.
3. Click Edit.
4. If a warning about a VPN profile appears, click OK. EAP-TLS does not require a VPN
profile.
5. Set the Security Type field to EAP-TLS.
6. Type your User name for the messaging server.
7. In the CA certificate list, click the certificate for the authentication server.
8. In the Client certificate list, click the user certificate.
9. Specify the Server subject or Server SAN, or both, if applicable.
The Server subject and Server SAN fields provide additional identification information
from the server certificate (the server name and identifier, or alternative name, in the form
of a URL, such as server1.domain.com or server1.domain.net). If you leave these fields
blank, the BlackBerry device skips them during server authentication.
10. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS is
selected.
11. Verify that Allow inter-access point handover is selected.
12. Select the Prompt before connection check box, if applicable. If you do not select the
check box, the BlackBerry device automatically connects to an available wireless access
point.
13. Select the Notify on authentication failure check box, if applicable.
46
8: Configuring encryption and authentication methods on the BlackBerry device
47
Wi-Fi Implementation Supplement
Requirement Notes
If security settings are not configured by Instruct your users to complete the following tasks:
IT policy, instruct your users to configure the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
security settings in the Wi-Fi® profile on the
2. Click the Wi-Fi profile that you want to configure.
BlackBerry device.
3. Click Edit.
4. Set the Security Type field to EAP-TTLS.
5. Type your User name and User password for the messaging server.
6. In the CA certificate list, click the certificate for the authentication server.
7. The Inner link security type is EAP-MS-CHAPv2.
8. Specify the Server subject or Server SAN, or both, if applicable.
The Server subject and Server SAN fields provide additional identification information
from the server certificate (the server name and identifier, or alternative name, in the form
of a URL, such as server1.domain.com or server1.domain.net). If you leave these fields
blank, the BlackBerry device skips them during server authentication.
9. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS
is selected.
10. Verify that Allow inter-access point handover is selected.
11. Select the Prompt before connection check box, if applicable. If you do not select the
check box, the BlackBerry device automatically connects to an available wireless access
point.
12. Verify that Allow inter-access point handover is selected.
13. Select the Notify on authentication failure check box, if applicable.
48
8: Configuring encryption and authentication methods on the BlackBerry device
Requirement Notes
Use automatic PAC provisioning over a safe For more information about the automatic provisioning process, see the documentation for
network connection to distribute the PAC file your authentication server.
to the wireless client.
Configure each wireless access point to For more information, see the documentation for your access points.
connect to the access control server and a
DHCP server.
Verify that the DHCP server can provide the
following information to the wireless client:
• IP address or network
• default gateway
• DNS server IP address
Configure the access control server. For more information, see the documentation for your access control server.
Instruct your users to configure the security Instruct your users to complete the following task:
settings in the Wi-Fi® profile on the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
BlackBerry® device.
2. Click the Wi-Fi profile that you want to configure.
3. Click Edit.
4. Set the Security Type field to EAP-FAST.
5. Type your User name and User password for the messaging server.
6. In the Inner link security list, click the security type.
7. In the Token list, select the token type, if applicable.
8. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS is
selected.
9. Select the Prompt before connection check box, if applicable. If you do not select the
check box, the BlackBerry devices automatically connects to an available wireless access
point.
10. Select the Notify on authentication failure check box, if applicable.
49
Wi-Fi Implementation Supplement
50
9
Configuring software tokens
Using software tokens on the BlackBerry device
Preparing the RSA Authentication Manager for software token use
Synchronize the date and time on the BlackBerry device with the RSA Authentication Manager computer
Set the default WLAN connection parameters for the BlackBerry Domain
Set the default VPN connection parameters for the BlackBerry Domain
Set the user’s profile for software token use
Import the token seed file into the RSA Authentication Manager Database
The software token stores the token’s UID, which is also called a seed. You receive the software token seed files in
.sdtid format, packaged separately, when you receive the RSA® Authentication Manager installation package.
When you install the RSA Authentication Manager, you create an empty RSA Authentication Manager Database.
Import the seed file for each software token into this database. You can import either single or multiple seed files.
52
9: Configuring software tokens
53
Wi-Fi Implementation Supplement
54
10
Implementing BlackBerry devices
Minimum software requirements
Implementing BlackBerry devices
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Add a user from the address book
Server Version 4.0.x Administration Guide Managing user properties and statistics
Define PIM application synchronization settings
Setting the default IT policy
Protect a handheld remotely
IBM® Lotus® Domino® BlackBerry Enterprise Server Add a user from a local or foreign domain
Novell® GroupWise® Administration Guide Managing message redirection
Managing PIM synchronization
Setting the default IT policy
Protect a handheld remotely
Microsoft Exchange BlackBerry Enterprise Server Deploying handhelds
IBM Lotus Domino Handheld Management Guide Managing PIM synchronization
Novell GroupWise Setting the default IT policy
Protect a handheld remotely
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Implementing BlackBerry devices
Server Version 4.1.x IBM Lotus Domino System Administration Guide
Novell GroupWise
Wi-Fi Implementation Supplement
56
11
Activating BlackBerry devices over the
enterprise Wi-Fi network
Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network
Setting up the environment for BlackBerry device activations over the enterprise Wi-Fi network
Preparing to install a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi
network
Confirm the installation credentials
Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network
Prerequisites: Activating BlackBerry devices over the enterprise Wi-Fi network
Create and send activation information
Reactivate an existing BlackBerry device
Confirm that the activation is successful
In BlackBerry® Enterprise Server Version 4.1 SP3 and later, users can activate Wi-Fi® enabled BlackBerry devices
over the enterprise Wi-Fi network in environments where the following situations occur:
• BlackBerry devices can connect to the enterprise Wi-Fi network but cannot connect to the mobile network.
• Users do not have the BlackBerry® Desktop Manager installed on their computers.
• Administrators must deploy and activate a large number of BlackBerry devices.
58
11: Activating BlackBerry devices over the enterprise Wi-Fi network
59
Wi-Fi Implementation Supplement
9. Click Next.
10. Complete the remaining instructions on the screen.
60
11: Activating BlackBerry devices over the enterprise Wi-Fi network
61
Wi-Fi Implementation Supplement
62
12
Troubleshooting
Push settings to the BlackBerry device
Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry device
Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device
Wi-Fi Diagnostics status indicators
Verify whether the BlackBerry device can reach an IP address
Resolve a host name to an IP address
64
12: Troubleshooting
65
Wi-Fi Implementation Supplement
66
12: Troubleshooting
67
Wi-Fi Implementation Supplement
68
12: Troubleshooting
69
Wi-Fi Implementation Supplement
70
12: Troubleshooting
71
Wi-Fi Implementation Supplement
72
12: Troubleshooting
Field Description
Ping Type The options are as follows:
• IP or Name
• Self
• WLAN Gateway
• VPN Concentrator
• UNC (mobile network provider)
• BBR (BlackBerry Router)
Ping to In this field, you specify the IP address to ping.
Number of Pings In this field, you specify the number of times to ping an IP address.
Field Description
Device IP This field indicates the IP address of the BlackBerry device.
Last Time Used This field indicates the last time an IP address was pinged.
Results This field indicates what happened when the last IP address was pinged.
Field Description
Primary DNS This field indicates the IP address of the primary computer that is used to resolve host names.
Secondary DNS This field indicates the IP address of an optional computer used between networks.
Last Time Used This field indicates the last time that the host was looked up.
Results This field indicates the result of the last lookup, and lists each IP address found to which the last lookup resolved.
73
Wi-Fi Implementation Supplement
74
13
IT policy rules and configuration settings
Using WLAN IT policy rules with a WLAN configuration set
WLAN IT policy group
WLAN configuration settings
VPN IT policy group
VPN configuration settings
76
13: IT policy rules and configuration settings
77
Wi-Fi Implementation Supplement
78
13: IT policy rules and configuration settings
79
Wi-Fi Implementation Supplement
80
13: IT policy rules and configuration settings
81
Wi-Fi Implementation Supplement
82
13: IT policy rules and configuration settings
83
Wi-Fi Implementation Supplement
84
13: IT policy rules and configuration settings
85
Wi-Fi Implementation Supplement
86
13: IT policy rules and configuration settings
87
Wi-Fi Implementation Supplement
88
13: IT policy rules and configuration settings
BlackBerry BlackBerry
Device Enterprise
Software Server
software
Enable VPN Specify whether the VPN client on the False 4.2.0 4.1.2 If you turn off the VPN client on the
BlackBerry® device is turned on. (VPN (obsolete in BlackBerry device, the BlackBerry
client on 4.1.3) device might not be able to use a
BlackBerry WLAN that requires VPN access, or it
device is might require the use of an alternative
turned off) form of access control.
Set this rule to True if the BlackBerry
device requires the use of a VPN server
to access a WLAN.
89
Wi-Fi Implementation Supplement
90
13: IT policy rules and configuration settings
91
Wi-Fi Implementation Supplement
92
13: IT policy rules and configuration settings
93
Wi-Fi Implementation Supplement
94
Glossary
3GPP
Third Generation Partnership Project
802.11a
IEEE® 802.11a™ is a standard for a wireless network that operates at 5 GHz, with transmission speeds of up to
54 Mbps.
802.11b
IEEE® 802.11b™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up
to 11 Mbps.
802.11g
IEEE® 802.11c™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up to
54 Mbps.
802.11i
IEEE® 802.11i™ is a standard that adds Quality of Service features and multimedia support to IEEE® 802.11a™,
IEEE® 802.11b™, and IEEE® 802.11g™ standards.
ACL
An access control list (ACL) specifies the permissions for users or groups associated with an object, such as a
service, file, or folder. An ACL is sometimes referred to as a whitelist.
AES
Advanced Encryption Standard
AES-CCMP
AES-Counter Mode CBC-MAC Protocol
ARFCN
absolute radio frequency channel number
CBC
cipher block chaining
DES
Data Encryption Standard (DES)
Wi-Fi Implementation Supplement
DHCP
Dynamic Host Configuration Protocol
DMZ
The demilitarized zone (DMZ) is a neutral subnetwork between the organization’s trusted LAN and the
untrusted external mobile network and public Internet.
DNS
Domain Name System
EAP
Extensible Authentication Protocol
EAP-FAST
Extensible Authentication Protocol Flexible Authentication via Secure Tunneling
EAP-GTC
Extensible Authentication Protocol Generic Token Card
EAP-TLS
Extensible Authentication Protocol Transport Layer Security
EAP-TTLS
Extensible Authentication Protocol Tunneled Transport Layer Security
FQDN
fully qualified domain name
GAN
Generic Access Network
GANC
GAN controller
GSM
Global System for Mobile communications
handover
A handover refers to moving from a mobile network to a Wi-Fi® network, or from a Wi-Fi network to a mobile
network while messages are transferring to or from a BlackBerry® device.
HTTP
The Hypertext Transfer Protocol
96
1: Glossary
IP Security
ISP
Internet service provider
LAN
local area network
LEAP
Lightweight Extensible Authentication Protocol
MAC
message authentication code
MCC
mobile country code
MD5
Message-Digest Algorithm, version 5
MNC
mobile network code
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol
MX record
mail exchange record
NAT
network address translation
97
Wi-Fi Implementation Supplement
PAC
Protected Access Credential
PEAP
Protected Extensible Authentication Protocol
PFS
Perfect Forward Secrecy
PIN
personal identification number
PKI
Public Key Infrastructure
PMK
pairwise master key
PSK
preshared key
RADIUS
Remote Authentication Dial In User Service
RFC
Request for Comments
RXLEV
Received Signal Level
SEGW
mobile network provider’s security gateway
SAN
server alternative name
SRP
Server Routing Protocol
SSID
The service set identifier (SSID) is the name of a Wi-Fi® network.
SSL
Secure Sockets Layer
98
1: Glossary
TKIP
Temporal Key Integrity Protocol
TLS
Transport Layer Security
TTLS
Tunneled Transport Layer Security
UID
unique identifier
UMA
Unlicensed Mobile Access
UNC
UMA controller
VPN
virtual private network
WEP
Wired Equivalent Privacy
WLAN
wireless local area network
WPA
Wi-Fi Protected Access™
99
Wi-Fi Implementation Supplement
100
©2008 Research In Motion Limited
Published in Canada.