Blackberry disabled server certificates query

Garber, Neal Neal.Garber at iberdrolausa.com
Fri Jan 20 12:12:49 CET 2012


> if you leave the box unchecked "disable server certificate validation"
> then the blackberry connects fine if you uncheck connection fails 
> "failed to connect". 

You wrote, "...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails"???

Did you mean to say "if you leave it *checked* it connects fine"??  If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate.  If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name).  

Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust.  In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have).

You need to decide whether to accept the risk or not.




More information about the Freeradius-Users mailing list