Wireless Access

This is driving me nuts.. I have a ticket open with RIM but they're taking forever. I was hoping someone here might be in the same boat:

I seem to have extreme amounts of difficulty getting blackberries and playbooks connected to my WPA2-Enterprise PEAP/MSCHAPv2 network. 

- Other clients work fine: OS X, Windows All, iPhone, iPad, iPod etc

- Some (read: few) blackberries work

- all 9790 blackberries I've tried do not work

- Multiple playbooks do not work

Anyone experience something similar?

Dave

Can you do show auth-tracebuf <mac of bberry client> while you are attempting to connect one and post the results back here?

Sure. I'll have one in my possession this afternoon and will update.

Dave

Here is a log with a few attempts.

This is what radius says:

Thu Mar 8 13:39:01 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 13:41:39 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 13:44:26 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 13:47:47 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 13:49:05 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 13:59:43 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)
Thu Mar 8 14:09:17 2012 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [user1] (from client wn-wc-phy-211-a port 0 cli 806007212713)

ps. .txt really should be a valid attachmet extension.

Dave

Attachment(s)

auth buffer.txt.zip   1 KB 1 version

Each RIM device comes with a client manager where you have to load the CA certificate of the WLAN in order for it to connect.  It doesn't seem to just skip or accept any CA server unless you upload it to the device.  Maybe they have evolved recently.

Hi Colin,

I will try to do that and report back. It seems that only newer blackberries are problematic, which is strange. 

Anyways, I will let you know how it goes.

Thanks,

Dave

---

@daveald wrote:

Hi Colin,

 

I will try to do that and report back. It seems that only newer blackberries are problematic, which is strange. 

 

Anyways, I will let you know how it goes.

 

Thanks,

Dave

---

Wow.  That does not make sense.  What is the "show auth-tracebuf mac <mac address of blackberry>" output?

Hi Colin, 

There is a zip file up a few posts with a longer and properly spaced log. Here is an excerpt. This just repeats, and radius logs what I mentioned earlier...

Mar 8 14:11:14 eap-id-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 6 5
Mar 8 14:11:22 station-up * 80:60:07:21:27:13 d8:c7:c8:17:09:2a - - wpa2 aes
Mar 8 14:11:22 eap-id-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 6 5
Mar 8 14:11:22 eap-id-resp -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 6 26 user1
Mar 8 14:11:22 rad-req -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 65532 210
Mar 8 14:11:22 rad-resp <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 65532 64
Mar 8 14:11:22 eap-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 7 6
Mar 8 14:11:22 eap-resp -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 7 74
Mar 8 14:11:22 rad-req -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 65521 276
Mar 8 14:11:22 rad-resp <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 65521 1090
Mar 8 14:11:22 eap-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 8 1024
Mar 8 14:11:22 eap-resp -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 8 6
Mar 8 14:11:22 rad-req -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 113 208
Mar 8 14:11:22 rad-resp <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 113 1086
Mar 8 14:11:22 eap-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 9 1020
Mar 8 14:11:22 eap-resp -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 9 6
Mar 8 14:11:22 rad-req -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 5 208
Mar 8 14:11:22 rad-resp <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 5 646
Mar 8 14:11:22 eap-req <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 10 584
Mar 8 14:11:22 eap-resp -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a 10 13
Mar 8 14:11:22 rad-req -> 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 108 215
Mar 8 14:11:22 rad-reject <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a/cn-aaa-mc 108 44
Mar 8 14:11:22 eap-failure <- 80:60:07:21:27:13 d8:c7:c8:17:09:2a 10 4 server rejected
Mar 8 14:11:31 station-down * 80:60:07:21:27:13 d8:c7:c8:17:09:2a - -

It certainly is responding to the Radius Server's rejection...

I use both a blackberry 9900 and playbook w/ v2.0 to connect to the Aruba corporate WPA2-Ent WLAN without any issues, as I recall it worked when I had it setup on a lab SSID as well.

Also make sure that you have the server public key loaded into the Blackberry.  I seem to recall that BB auth will fail if the server cert if not available.

 -michael

Hello,

I thought I should give an update on this. RIM is escalating my case to their development team. There is no official word that is a problem with their device, but at this point I can't really see any other possibility. 

I'll let you know what I find out from them.

Dave

Hello Everyone,

RIM got back to me and linked this KB article: 

www.blackberry.com/btsc/kb29914

Summary:

Receiving error "Failed to connect to the network" when attempting to connect BlackBerry smartphone to wi-fi network

This issue is encountered when secure renegotiation is enabled on the RADIUS server.  The cause of the issue is due to the version of OpenSSL present on the affected BlackBerry smartphones.  The models of BlackBerry smartphone affected by this issue are the 9360, 9380 and 9790 models.

Resolution: This is a previously reported issue that is being investigated by our development team. No resolution time frame is currently available.

Workaround: Turn off secure renegotiation on the RADIUS server.

--------------------

Like I expected, it looks like Aruba is off the hook! 

Dave