Blackberry disabled server certificates query
Hi We are testing various deivces with our new eduroam wirelss and so far so good. However, an issue cropped up with blackberrys where during the setup, if you leave the box unchecked "disable server certificate validation" then the blackberry connects fine if you uncheck connection fails "failed to connect". I have checked other institutions and they have conflicting guides some say leave it checked others say uncheck. Can anyone advise the status - to check or uncheck? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Blackberry-disabled-server-certifica... Sent from the FreeRadius - User mailing list archive at Nabble.com.
if you leave the box unchecked "disable server certificate validation" then the blackberry connects fine if you uncheck connection fails "failed to connect".
You wrote, "...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails"??? Did you mean to say "if you leave it *checked* it connects fine"?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name). Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have). You need to decide whether to accept the risk or not.
We have endless amounts of trouble connecting Blackberrys, they are hateful things. Some devices will use the certificate, some won't connect unless cert validation is disabled. Some don't have the option to disable cert checking, and some won't connect at all. For a essentially single vendor device they have the most varied and random configuration idiosyncrasies between devices, even of the same model. Due to this variance we no longer try to offer online support for them, users are asked to bring them in to be looked at (and hacked at) to connect them. But yes, if possible you want to be enforcing cert validation, but in practice it's not always possible.
-----Original Message----- From: freeradius-users- bounces+j.d.f.palmer=swansea.ac.uk@lists.freeradius.org [mailto:freeradius-users- bounces+j.d.f.palmer=swansea.ac.uk@lists.freeradius.org] On Behalf Of Garber, Neal Sent: 20 January 2012 11:13 To: 'FreeRadius users mailing list' Subject: RE: Blackberry disabled server certificates query
if you leave the box unchecked "disable server certificate validation" then the blackberry connects fine if you uncheck connection fails "failed to connect".
You wrote, "...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails"???
Did you mean to say "if you leave it *checked* it connects fine"?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name).
Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have).
You need to decide whether to accept the risk or not.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lmgo5991 wrote:
We are testing various deivces with our new eduroam wirelss and so far so good. However, an issue cropped up with blackberrys where during the setup, if you leave the box unchecked "disable server certificate validation" then the blackberry connects fine if you uncheck connection fails "failed to connect". I have checked other institutions and they have conflicting guides some say leave it checked others say uncheck.
Can anyone advise the status - to check or uncheck?
It should always validate the server certificate. The reason it's failing is probably because you didn't put the correct certificate on the blackberry. You need to do that. See my EAP guide: http://deployingradius.com Alan DeKok.
Hi,
The reason it's failing is probably because you didn't put the correct certificate on the blackberry. You need to do that. See my EAP guide:
like others we have mixes results with blackberrys - not sure if its related to particular handsets on the same carrier - i dont get that close to the 1st level support when they're looking at them.....but we do seem to have more cases recently with the latest blackberry curve. nasty devices. i might get hold of one to see if i can squeeze it until it screams and tells me whats wrong ;-) alan
hi, just to revisit this recent thread. Was at a site who were implementing 802.1X authentication and they noted the Blackberry issue - some devices okay, others not... the FreeRADIUS server was configured to have the WHOLE CA chain of certs (root, intermediate,server signer and server cert) in the certificate_file entry in eap.conf and all of the blackberries tested (os4 and os5 etc) then worked with 'check certificate' enabled. the devices had the root CA on them but if the other certs werent delivered from the server then the devices didnt want to authenticate - likely to be how the chain is handled by the device - especially as they were very fussy about what was in the CA store. alan
Apologies for reviving an old thread, but we have a response from RIM regarding this issue. The problem is with the version of OpenSSL on phone models 9360, 9380, and 9790. For full details, see: http://blackberry.com/btsc/kb29914 The "workaround" reads "Turn off secure renegotiation on the RADIUS server" Regards, Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/Blackberry-disabled-server-certifica... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (6)
-
Alan Buxey -
Alan DeKok -
DaveA -
Garber, Neal -
lmgo5991 -
Palmer J.D.F.