Configuring EAP-TLS authentication

If your organization implements EAP-TLS authentication, Wi-Fi enabled BlackBerry devices must authenticate to an authentication server so that they can connect to the enterprise Wi-Fi network.

EAP-TLS authentication requires that BlackBerry devices trust the authentication server certificate and use a client-side certificate as the supplicant credentials. To trust the authentication server certificate, BlackBerry devices must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server trust mutually must generate the certificate for the authentication server and the certificate for each BlackBerry device.

BlackBerry devices that use EAP-TLS authentication require a client certificate and the root certificate for the certificate authority server that created the certificate for the authentication server. You can obtain and install both certificates using the same distribution method.

To distribute the certificates to BlackBerry devices, you can use the certificate synchronization tool in the BlackBerry Desktop Manager, or you can enroll the certificate over the wireless network. You must configure a Wi-Fi profile to provide the user name and password for authentication.

For more information about how the BlackBerry Enterprise Solution supports EAP-TLS authentication, see the BlackBerry Enterprise Server Security Technical Overview.