Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I'd be down for a QR code that onboards clients. Just put up a warning saying, "hey, this is a camera-readable password" before clicking to reveal it. I don't particularly care about a 100x zoom if my back is to a wall. Walk in support could easily setup a kiosk that makes it a non-issue. For walk-in support, an NFC pad would also work really well. Of course, this only works on devices that you can easily use the camera or NFC on, but those also tend to be the more difficult devices to on-board. On 2021-02-02 18:55:59+, Tim Cappalli wrote: > Yeah, I think you're asking for a profile-like configuration mechanism on > Android which is different than invocation of provisioning. I agree and hope > there will be some traction in this area in the future. > > For the time being though, you could still have a generic QR code that takes > users to a landing page where you can use UA detection to invoke the correct > flow, be it a profile download or just instructions. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > <0211f6bc0913-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, February 2, 2021 13:53 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: > [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb > 15th 2021 > > That's fair, and it's why I included the bit about requiring existing > connectivity. I think in my mind, if there was a certificate involved, it > would be downloaded from the Internet once the QR code was scanned. This is > similar to what you can do with .mobileconfig files on iOS. You do have to > find a way to get the .mobileconfig file into Safari on the device, but once > you do that, the configuration process is quite streamlined. An Android > equivalent would be amazing. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > I can scan a QR code with embedded credentials over your shoulder > > (I think the newest Galaxy has 100x zoom?) > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Hunter Fuller > <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> > Sent: Tuesday, February 2, 2021 13:45 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: > [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I don't follow how sending someone configuration via a QR code on our > website, would have a different trust profile from showing instructions on > that same website, or sending them to eduroam CAT from that website. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > While UX is great with QR codes, security and trust is challenging. > > You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy > Connect but those have other security layers baked on top. > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Hunter Fuller > <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> > Sent: Tuesday, February 2, 2021 13:41 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming > changes Feb 15th 2021 > > I wish there was a QR schema. Even if it only worked on devices with another > connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right no
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Yeah, I think you're asking for a profile-like configuration mechanism on Android which is different than invocation of provisioning. I agree and hope there will be some traction in this area in the future. For the time being though, you could still have a generic QR code that takes users to a landing page where you can use UA detection to invoke the correct flow, be it a profile download or just instructions. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 13:53 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 That's fair, and it's why I included the bit about requiring existing connectivity. I think in my mind, if there was a certificate involved, it would be downloaded from the Internet once the QR code was scanned. This is similar to what you can do with .mobileconfig files on iOS. You do have to find a way to get the .mobileconfig file into Safari on the device, but once you do that, the configuration process is quite streamlined. An Android equivalent would be amazing. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I can scan a QR code with embedded credentials over your shoulder (I think the newest Galaxy has 100x zoom?) From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 13:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I don't follow how sending someone configuration via a QR code on our website, would have a different trust profile from showing instructions on that same website, or sending them to eduroam CAT from that website. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: While UX is great with QR codes, security and trust is challenging. You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy Connect but those have other security layers baked on top. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 13:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I wish there was a QR schema. Even if it only worked on devices with another connection available (LTE, etc.) to download the config. Sigh. The closest we have right now is scanning a QR code leading to a .mobileconfig file on iOS. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Well, again, you should be properly configuring the supplicant regardless, so the instructions would apply to any version of Android RE: QR, no, enterprise authentication is not supported. A supplicant configuration tool should always be used. The supplicant was not designed to be manually configured by end users (on any OS). From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Michael Holden mailto:mhol...@datanetworksolutions.com>> Sent: Tuesday, February 2, 2021 13:16 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LA
Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
That's fair, and it's why I included the bit about requiring existing connectivity. I think in my mind, if there was a certificate involved, it would be downloaded from the Internet once the QR code was scanned. This is similar to what you can do with .mobileconfig files on iOS. You do have to find a way to get the .mobileconfig file into Safari on the device, but once you do that, the configuration process is quite streamlined. An Android equivalent would be amazing. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > I can scan a QR code with embedded credentials over your shoulder > > (I think the newest Galaxy has 100x zoom?) > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller < > 0211f6bc0913-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 13:45 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] > Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I don't follow how sending someone configuration via a QR code on our > website, would have a different trust profile from showing instructions on > that same website, or sending them to eduroam CAT from that website. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > While UX is great with QR codes, security and trust is challenging. > > You'll start to see more QR-based provisioning with IoT as part of Wi-Fi > Easy Connect but those have other security layers baked on top. > > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller < > 0211f6bc0913-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 13:41 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 > upcoming changes Feb 15th 2021 > > I wish there was a QR schema. Even if it only worked on devices with > another connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right now is scanning a QR code leading to a > .mobileconfig file on iOS. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > Well, again, you should be properly configuring the supplicant regardless, > so the instructions would apply to any version of Android > > RE: QR, no, enterprise authentication is not supported. A supplicant > configuration tool should always be used. The supplicant was not designed > to be manually configured by end users (on any OS). > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden < > mhol...@datanetworksolutions.com> > *Sent:* Tuesday, February 2, 2021 13:16 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > We've seen much the same. > A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate > option, but the Pixel3XL did not. > > We added the CA cert to a subpage on the guest captive portal for ease of > access to the Wireless device, and provided some instructions for the > devices. > The workflow to manually add the Wireless Trust was a bit flaky too with > Modify Settings not really working. > > The instruction set that appeared to work as of the current (January 2021) > Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: > > >1. Download the CA cert from the ClearPass Guest Captive Portal Page >2. Go to Settings >3. Network & Internet >4. Wi-Fi >5. Wi-Fi preferences >6. Advanced >7. Install Certificate >8. Choose the Certificate downloaded in the first step >9. Name the Certificate >10. Connect to the Secure SSID > 1. Change the Certificate from System Certs to the Certificate name > entered in the previous step > 2. Domain to > 3. Identity as the username > 4. Password as the user’s password > 5. Connect >11. Confirm
