RE: Blackberry disabled server certificates query
One of the annoying features of Blackberry devices is that the descriptions of the same CA certificate varies from device to device. Some devices, like my Storm2, seem to validate the CA even when that checkbox is selected. Since there are lots of CAs installed on Blackberry phones, setting up EAP can take a while as you go through the several certs which match your CA. "Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk> wrote:
We have endless amounts of trouble connecting Blackberrys, they are hateful things. Some devices will use the certificate, some won't connect unless cert validation is disabled. Some don't have the option to disable cert checking, and some won't connect at all. For a essentially single vendor device they have the most varied and random configuration idiosyncrasies between devices, even of the same model. Due to this variance we no longer try to offer online support for them, users are asked to bring them in to be looked at (and hacked at) to connect them.
But yes, if possible you want to be enforcing cert validation, but in practice it's not always possible.
-----Original Message----- From: freeradius-users- bounces+j.d.f.palmer=swansea.ac.uk@lists.freeradius.org [mailto:freeradius-users- bounces+j.d.f.palmer=swansea.ac.uk@lists.freeradius.org] On Behalf Of Garber, Neal Sent: 20 January 2012 11:13 To: 'FreeRadius users mailing list' Subject: RE: Blackberry disabled server certificates query
if you leave the box unchecked "disable server certificate validation" then the blackberry connects fine if you uncheck connection fails "failed to connect".
You wrote, "...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails"???
Did you mean to say "if you leave it *checked* it connects fine"?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name).
Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have).
You need to decide whether to accept the risk or not.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (1)
-
Bruce Nunn