Home » Wi-Fi networks and VPN networks » Configuring encryption and authentication methods for Wi-Fi enabled BlackBerry devices » Configuring EAP-FAST authentication

Configuring EAP-FAST authentication

EAP-FAST is an authentication method that was developed by Cisco® Systems. Similar to PEAP authentication, EAP-FAST authentication encrypts EAP transactions within a TLS tunnel. Although PEAP uses a server-side digital certificate to configure the TLS tunnel, EAP-FAST uses a .pac file.

The .pac file that the BlackBerry® devices and the authentication server share contains secret keys that are unique to the BlackBerry devices. The EAP-FAST master key on the authentication server generates the .pac file. EAP-FAST uses the .pac file to open the TLS tunnel and authenticates the user credentials through the TLS tunnel.

Configure EAP-FAST authentication

Distribute the .pac file to the wireless client over a network connection that is designed to be secure using automatic PAC provisioning.
Configure each wireless access point to connect to the access control server and a DHCP server.
Verify that the DHCP server can provide the following information to the wireless client:
- IP address or network
- default gateway
- IP address of the DNS server
Configure the access control server.

After you finish:

For information about the automatic provisioning process, see the documentation for your organization’s authentication server.
For information about configuring wireless access points, see the documentation for the access points.
For information about configuring the access control server, see the documentation for the access control server.

Related information

Creating and configuring Wi-Fi profiles

Prerequisites: Distributing a certificate using the BlackBerry Desktop Manager

Send EAP-FAST authentication data to a BlackBerry device using a Wi-Fi profile

If BlackBerry® users in your organization's environment use BlackBerry® 7270 smartphones, you must configure user names and passwords using IT policy rules instead of configuration settings.

In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi® profile that you want to configure.
Click Edit profile.
In the Wi-Fi profile settings tab, perform the following actions:
- In the Wi-Fi User Name field, type the user name for PEAP authentication.
- In the Wi-Fi User Password field, type the password for PEAP authentication.
If required, configure the following configuration settings:
- Wi-Fi Link Security
- Wi-Fi Inner Authentication Mode
- Wi-Fi Hard Token Required
- Wi-Fi Server Subject
- Wi-Fi Server SAN
- Wi-Fi EAP-FAST Provisioning method
- Wi-Fi Disable Server Certificate Validation
Click Save All.

After you finish:

For more information about configuration settings, see the BlackBerry Enterprise Server Policy Reference Guide.
Resend the IT policy that you assign to the user accounts to BlackBerry devices.
Distribute the certificates.

Configure EAP-FAST configuration settings in the Wi-Fi profile on BlackBerry devices

If you do not configure the EAP-FAST configuration settings using the BlackBerry® Administration Service, instruct users to configure the settings in the Wi-Fi® profile on the Wi-Fi enabled BlackBerry device.

On the BlackBerry device, in the device options, click Wi-Fi Connections.
Click the Wi-Fi profile that you want to change.
Click Edit.
In the Security Type list, select EAP-FAST.
Type the user name and password for the messaging server.
In the Inner link security list, click the security type.
If necessary, in the Token list, select the token type.
If your organization uses dynamic IP addresses, verify that the Automatically obtain IP address and DNS option is selected.
If necesssary, select the Prompt before connection check box. If you do not select the check box, the BlackBerry device connects to an available wireless access point automatically.
If necessary, select the Notify on authentication failure check box.