Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
This thread has been about the "CA certificate" option, which is stuck on "Use system certificates". This is specifying which CA the server cert should chain back to. It defaults to any system (CA/B forum) certificate. You are looking at the "Online Certificate Status" option, which is what specifies the OCSP behavior. This is for checking if the server cert has been revoked. Good to have, but nowhere near as critical as the first option. Also, selecting the wrong option here can prevent someone from connecting if your RADIUS server is not doing OCSP stapling. On 2021-02-10 10:44:45-0500, Walter Reynolds wrote: > Here are the screenshots. > > > > [image: software update.jpg][image: software.jpg][image: phone > type.jpg][image: > base screen.jpg][image: options dropdown.jpg] > > > > - > Walter Reynolds > Network Architect > Information and Technology Services > University of Michigan > (734) 615-9438 > > > On Wed, Feb 10, 2021 at 6:49 AM Mathieu Sturm > wrote: > > > I’ve ordered a Pixel 5 and will do some testing as well. > > > > I’ve been testing with a virtual android 11 on android studio. This > > virtual android 11 also had the option to select “don’t validate” option. > > > > > > > > I will share my findings once testing has been done. > > > > > > > > > > > > *Mathieu Sturm* > > Hoofdmedewerker Netwerkbeheer > > > > [image: https://www.hogent.be/www/assets/Image/logo2018.png] > > > > *Directie Financiën, Infrastructuur en IT* > > > > Afdeling Netwerkbeheer > > > > Campus Schoonmeerssen - Gebouw B Lokaal B0.75 > > > > Valentin Vaerwyckweg 1 - 9000 Gent > > > > +32 9 243 35 23 > > > > www.hogent.be > > <https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.hogent.be%2F=02%7C01%7Cmathieu.sturm%40hogent.be%7C86879fbc6e8c49ab13ff08d67ac4edef%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C636831383554731873=8NfYjNEE4XDViDT6wMtCYFa0cY8g5CXqS9kf7VtYBcU%3D=0> > > > > > > > > > > > > > > > > *Van:* The EDUCAUSE Wireless Issues Community Group Listserv < > > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Namens *Dom Colangelo > > *Verzonden:* dinsdag 9 februari 2021 18:26 > > *Aan:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > *Onderwerp:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > > > > > In my testing I found that networks saved prior to the patch retained the > > ‘Don’t validate’ option. Forgetting and re-configuring the network > > eliminated the option. > > > > > > > > Dom Colangelo > > > > Systems Engineer > > > > Omada Technologies > > > > Cell: (617)-446-3945 > > > > dcolang...@omadatechnologies.com > > > > > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli > > *Sent:* Tuesday, February 9, 2021 12:15 > > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > > > > > Screenshot? > > > > > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds < > > wa...@umich.edu> > > *Date: *Tuesday, February 9, 2021 at 12:03 > > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > > *Subject: *Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > > > I have a Pixel 3 that I did a factory restet on. Next I did all the > > updates needed and it is running Android 11. The build number is > > RQ1A.210205.004 which includes the latest security patch for the phone. > > > > > > > > When I go to configure a WPA2 Enterprise network I still have the "Don't > > validate" option. > > > > > > > > What am I missing here? > > > > > > > > ------------ > > > > Walter Reynolds > > Network Architect > > Information and Technology Services > > University of Michigan > > (734) 615-9438 > > > > > > > > > > > > On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli < > > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > I would not expect Pixel 2 and earlier to receive this update as they are > > end of support. > > -
RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
That’s what I suspected. That is NOT for EAP server trust. It is for certificate status. Not the same thing. If you look at the CA Certificate dropdown (not the Online Certificate Status dropdown), you should not see a Do Not Validate option. tim From: Walter Reynolds Sent: Wednesday, February 10, 2021 10:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Here are the screenshots. - Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Wed, Feb 10, 2021 at 6:49 AM Mathieu Sturm wrote: I’ve ordered a Pixel 5 and will do some testing as well. I’ve been testing with a virtual android 11 on android studio. This virtual android 11 also had the option to select “don’t validate” option. I will share my findings once testing has been done. Mathieu Sturm Hoofdmedewerker Netwerkbeheer Directie Financiën, Infrastructuur en IT Afdeling Netwerkbeheer Campus Schoonmeerssen - Gebouw B Lokaal B0.75 Valentin Vaerwyckweg 1 - 9000 Gent +32 9 243 35 23 www.hogent.be Van: The EDUCAUSE Wireless Issues Community Group Listserv Namens Dom Colangelo Verzonden: dinsdag 9 februari 2021 18:26 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Onderwerp: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 In my testing I found that networks saved prior to the patch retained the ‘Don’t validate’ option. Forgetting and re-configuring the network eliminated the option. Dom Colangelo Systems Engineer Omada Technologies Cell: (617)-446-3945 dcolang...@omadatechnologies.com From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Tuesday, February 9, 2021 12:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Walter Reynolds Date: Tuesday, February 9, 2021 at 12:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I have a Pixel 3 that I did a factory restet on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Richie Penuela Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select “Do not validate” option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Mathieu Sturm Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I’ve been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I’m still able to select “Do not validate” on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were released with android 11 don’t allow the “Do not validate”? Or are the pixel phones the only ones? Regards, Mathieu Van: The EDUCAUSE Wireless Issues Community Group Listserv Namens Hurt,Trenton W. Verzonden: maandag 1 februari 2021 22:47 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Onderwerp: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server
RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
My thoughts exactly. Sure, I’m curious about the behavior being reported, but it really doesn’t matter. From: Jonathan Waldrep Sent: Wednesday, February 10, 2021 10:36 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I get the impression people haven't seen this: https://www.youtube.com/watch?v=gkPvZDcrLFk Note this was presented in *2012*. As Tim has said many, many times, you really should be validating the server, even if you have the option to not. Thus, whether or not that option is available is kinda irrelevant. On 2021-02-10 11:36:36+, Mathieu Sturm wrote: > I've ordered a Pixel 5 and will do some testing as well. > I've been testing with a virtual android 11 on android studio. This virtual > android 11 also had the option to select "don't validate" option. > > I will share my findings once testing has been done. > > > Mathieu Sturm > Hoofdmedewerker Netwerkbeheer > > [https://www.hogent.be/www/assets/Image/logo2018.png] > > Directie Financiën, Infrastructuur en IT > Afdeling Netwerkbeheer > Campus Schoonmeerssen - Gebouw B Lokaal B0.75 > Valentin Vaerwyckweg 1 - 9000 Gent > +32 9 243 35 23 > www.hogent.be<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.hogent.be%2F=02%7C01%7Cmathieu.sturm%40hogent.be%7C86879fbc6e8c49ab13ff08d67ac4edef%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C636831383554731873=8NfYjNEE4XDViDT6wMtCYFa0cY8g5CXqS9kf7VtYBcU%3D=0> > > > > Van: The EDUCAUSE Wireless Issues Community Group Listserv > Namens Dom Colangelo > Verzonden: dinsdag 9 februari 2021 18:26 > Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Onderwerp: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > In my testing I found that networks saved prior to the patch retained the > 'Don't validate' option. Forgetting and re-configuring the network eliminated > the option. > > [cid:image005.png@01D6FFA9.5BA6C3E0]Dom Colangelo > Systems Engineer > Omada Technologies > Cell: (617)-446-3945 > dcolang...@omadatechnologies.com<mailto:dcolang...@omadatechnologies.com> > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > On Behalf Of Tim Cappalli > Sent: Tuesday, February 9, 2021 12:15 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Screenshot? > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Walter Reynolds mailto:wa...@umich.edu>> > Date: Tuesday, February 9, 2021 at 12:03 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I have a Pixel 3 that I did a factory restet on. Next I did all the updates > needed and it is running Android 11. The build number is RQ1A.210205.004 > which includes the latest security patch for the phone. > > When I go to configure a WPA2 Enterprise network I still have the "Don't > validate" option. > > What am I missing here? > > > Walter Reynolds > Network Architect > Information and Technology Services > University of Michigan > (734) 615-9438 > > > On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > I would not expect Pixel 2 and earlier to receive this update as they are end > of support. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Richie Penuela > mailto:richie.penu...@ucf.edu>> > Sent: Friday, February 5, 2021 09:37 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > Mathieu, > > > > Currently this is affecting Google Pixel 3 and up that have installed the > Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 > but the last security patch was provided prior to the one in December and we > are still to select "Do not validate" option. In conversation with some of > our integrators they believe that other Android platforms will follow suit. > > > > -Respectfully, > > > > [sign
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I get the impression people haven't seen this: https://www.youtube.com/watch?v=gkPvZDcrLFk Note this was presented in *2012*. As Tim has said many, many times, you really should be validating the server, even if you have the option to not. Thus, whether or not that option is available is kinda irrelevant. On 2021-02-10 11:36:36+, Mathieu Sturm wrote: > I've ordered a Pixel 5 and will do some testing as well. > I've been testing with a virtual android 11 on android studio. This virtual > android 11 also had the option to select "don't validate" option. > > I will share my findings once testing has been done. > > > Mathieu Sturm > Hoofdmedewerker Netwerkbeheer > > [https://www.hogent.be/www/assets/Image/logo2018.png] > > Directie Financiën, Infrastructuur en IT > Afdeling Netwerkbeheer > Campus Schoonmeerssen - Gebouw B Lokaal B0.75 > Valentin Vaerwyckweg 1 - 9000 Gent > +32 9 243 35 23 > www.hogent.be<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.hogent.be%2F=02%7C01%7Cmathieu.sturm%40hogent.be%7C86879fbc6e8c49ab13ff08d67ac4edef%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C636831383554731873=8NfYjNEE4XDViDT6wMtCYFa0cY8g5CXqS9kf7VtYBcU%3D=0> > > > > Van: The EDUCAUSE Wireless Issues Community Group Listserv > Namens Dom Colangelo > Verzonden: dinsdag 9 februari 2021 18:26 > Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Onderwerp: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > In my testing I found that networks saved prior to the patch retained the > 'Don't validate' option. Forgetting and re-configuring the network eliminated > the option. > > [cid:image005.png@01D6FFA9.5BA6C3E0]Dom Colangelo > Systems Engineer > Omada Technologies > Cell: (617)-446-3945 > dcolang...@omadatechnologies.com<mailto:dcolang...@omadatechnologies.com> > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > On Behalf Of Tim Cappalli > Sent: Tuesday, February 9, 2021 12:15 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Screenshot? > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Walter Reynolds mailto:wa...@umich.edu>> > Date: Tuesday, February 9, 2021 at 12:03 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I have a Pixel 3 that I did a factory restet on. Next I did all the updates > needed and it is running Android 11. The build number is RQ1A.210205.004 > which includes the latest security patch for the phone. > > When I go to configure a WPA2 Enterprise network I still have the "Don't > validate" option. > > What am I missing here? > > > Walter Reynolds > Network Architect > Information and Technology Services > University of Michigan > (734) 615-9438 > > > On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > I would not expect Pixel 2 and earlier to receive this update as they are end > of support. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Richie Penuela > mailto:richie.penu...@ucf.edu>> > Sent: Friday, February 5, 2021 09:37 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > Mathieu, > > > > Currently this is affecting Google Pixel 3 and up that have installed the > Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 > but the last security patch was provided prior to the one in December and we > are still to select "Do not validate" option. In conversation with some of > our integrators they believe that other Android platforms will follow suit. > > > > -Respectfully, > > > > [signature_2043038681] > > Sr. Wireless Engineer > > UCF IT | Telecommunications > > University of Central Florida > > 407.823.4906 > > richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> > > > > Please note: Florida
RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I've ordered a Pixel 5 and will do some testing as well. I've been testing with a virtual android 11 on android studio. This virtual android 11 also had the option to select "don't validate" option. I will share my findings once testing has been done. Mathieu Sturm Hoofdmedewerker Netwerkbeheer [https://www.hogent.be/www/assets/Image/logo2018.png] Directie Financiën, Infrastructuur en IT Afdeling Netwerkbeheer Campus Schoonmeerssen - Gebouw B Lokaal B0.75 Valentin Vaerwyckweg 1 - 9000 Gent +32 9 243 35 23 www.hogent.be<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.hogent.be%2F=02%7C01%7Cmathieu.sturm%40hogent.be%7C86879fbc6e8c49ab13ff08d67ac4edef%7C5cf7310e091a4bc5acd726c721d4cccd%7C1%7C0%7C636831383554731873=8NfYjNEE4XDViDT6wMtCYFa0cY8g5CXqS9kf7VtYBcU%3D=0> Van: The EDUCAUSE Wireless Issues Community Group Listserv Namens Dom Colangelo Verzonden: dinsdag 9 februari 2021 18:26 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Onderwerp: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 In my testing I found that networks saved prior to the patch retained the 'Don't validate' option. Forgetting and re-configuring the network eliminated the option. [cid:image005.png@01D6FFA9.5BA6C3E0]Dom Colangelo Systems Engineer Omada Technologies Cell: (617)-446-3945 dcolang...@omadatechnologies.com<mailto:dcolang...@omadatechnologies.com> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Tuesday, February 9, 2021 12:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Walter Reynolds mailto:wa...@umich.edu>> Date: Tuesday, February 9, 2021 at 12:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I have a Pixel 3 that I did a factory restet on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Richie Penuela mailto:richie.penu...@ucf.edu>> Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select "Do not validate" option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, [signature_2043038681] Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Mathieu Sturm mailto:mathieu.st...@hogent.be>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I've been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I'm still able to select "Do not validate" on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were relea
RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
In my testing I found that networks saved prior to the patch retained the 'Don't validate' option. Forgetting and re-configuring the network eliminated the option. [cid:image001.png@01D6FEDE.B1FD2340]Dom Colangelo Systems Engineer Omada Technologies Cell: (617)-446-3945 dcolang...@omadatechnologies.com<mailto:dcolang...@omadatechnologies.com> From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Tuesday, February 9, 2021 12:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Walter Reynolds mailto:wa...@umich.edu>> Date: Tuesday, February 9, 2021 at 12:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I have a Pixel 3 that I did a factory restet on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Richie Penuela mailto:richie.penu...@ucf.edu>> Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select "Do not validate" option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, [signature_2043038681] Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Mathieu Sturm mailto:mathieu.st...@hogent.be>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I've been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I'm still able to select "Do not validate" on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were released with android 11 don't allow the "Do not validate"? Or are the pixel phones the only ones? Regards, Mathieu Van: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Namens Hurt,Trenton W. Verzonden: maandag 1 februari 2021 22:47 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Onderwerp: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuratio
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Screenshot? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Walter Reynolds Date: Tuesday, February 9, 2021 at 12:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I have a Pixel 3 that I did a factory restet on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Richie Penuela mailto:richie.penu...@ucf.edu>> Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select “Do not validate” option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, [signature_2043038681] Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Mathieu Sturm mailto:mathieu.st...@hogent.be>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I’ve been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I’m still able to select “Do not validate” on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were released with android 11 don’t allow the “Do not validate”? Or are the pixel phones the only ones? Regards, Mathieu Van: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Namens Hurt,Trenton W. Verzonden: maandag 1 februari 2021 22:47 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Onderwerp: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuration item is for clients to validate a RADIUS server certificate chain during an EAP authentication. Clients would forward its requests only when the received server certificate is signed by the CA that is configured on the SecureW2 Network Profile. It may be required to upload only the Root CA of the RADIUS server certificate, however, in some cases, the full chain may need to be provided. What is the Connect to these server names field? This field is used to specify the name of your RADIUS server certificate using its Common Name. If there is only one RADIUS server in your setup, you can quickly find this name from the certificate. If there are more than one RADIUS servers, or if the RADIUS server Common Name has more than two subdomains, we advise to use a wildcard
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I have a Pixel 3 that I did a factory restet on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Sun, Feb 7, 2021 at 3:29 AM Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > I would not expect Pixel 2 and earlier to receive this update as they are > end of support. > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Richie Penuela < > richie.penu...@ucf.edu> > *Sent:* Friday, February 5, 2021 09:37 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > Mathieu, > > > > Currently this is affecting Google Pixel 3 and up that have installed the > Android 11 security patch in December. We have Google Pixel 2A w/ Android > 11 but the last security patch was provided prior to the one in December > and we are still to select “Do not validate” option. In conversation with > some of our integrators they believe that other Android platforms will > follow suit. > > > > -Respectfully, > > > > *[image: signature_2043038681]* > > Sr. Wireless Engineer > > *UCF **IT | Telecommunications* > > University of Central Florida > > 407.823.4906 > > richie.penu...@ucf.edu > > > > *Please note:* Florida has a very broad open records law (F.S. 119). > Emails may be subject to public disclosure > > > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mathieu Sturm < > mathieu.st...@hogent.be> > *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, February 5, 2021 at 9:32 AM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > Hello all, > > > > I’ve been testing with 2 devices (Samsung s10 upgraded to android 11 and > Samsung s20 also upgraded to android 11). > > It seems that I’m still able to select “Do not validate” on these devices. > > > > Is this because these devices were upgraded to android 11 and that the > newer devices which were released with android 11 don’t allow the “Do not > validate”? > > Or are the pixel phones the only ones? > > > > Regards, > > > > Mathieu > > > > *Van:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Namens *Hurt,Trenton W. > *Verzonden:* maandag 1 februari 2021 22:47 > *Aan:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Onderwerp:* [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > FYI > > > > I just received the following from securew2 about some additional security > changes coming to android 11. > > > > > > > > This action will need to take place before the upcoming Android > application update that is planned for February 15th, 2021. > > > > As you may already be aware, Google mandates server validation to be > properly configured for WiFi from Android version 11. This means that any > 802.1X WiFi configuration without the following two settings will fail to > connect. > > > > 1. Server Validation > > 2. Connect to these server names > > > > For more information about these configurations, please read below. > > > > What is Server Validation in a Network Profile? > > This configuration item is for clients to validate a RADIUS server > certificate chain during an EAP authentication. Clients would forward its > requests only when the received server certificate is signed by the CA that > is configured on the SecureW2 Network Profile. It may be required to > upload only the Root CA of the RADIUS server certificate, however, in some > cases, the full chain may need to be provided. > > > > What is the Connect to these server names field? > > This field is used to specify the name of your RADIUS server certificate > using its Common Name. If there is only one RADIUS server in your setup, > you can quickly find this name from the certificate. If there are more than > one RADIUS s
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I would not expect Pixel 2 and earlier to receive this update as they are end of support. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Richie Penuela Sent: Friday, February 5, 2021 09:37 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select “Do not validate” option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, [signature_2043038681] Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Mathieu Sturm Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I’ve been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I’m still able to select “Do not validate” on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were released with android 11 don’t allow the “Do not validate”? Or are the pixel phones the only ones? Regards, Mathieu Van: The EDUCAUSE Wireless Issues Community Group Listserv Namens Hurt,Trenton W. Verzonden: maandag 1 februari 2021 22:47 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Onderwerp: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuration item is for clients to validate a RADIUS server certificate chain during an EAP authentication. Clients would forward its requests only when the received server certificate is signed by the CA that is configured on the SecureW2 Network Profile. It may be required to upload only the Root CA of the RADIUS server certificate, however, in some cases, the full chain may need to be provided. What is the Connect to these server names field? This field is used to specify the name of your RADIUS server certificate using its Common Name. If there is only one RADIUS server in your setup, you can quickly find this name from the certificate. If there are more than one RADIUS servers, or if the RADIUS server Common Name has more than two subdomains, we advise to use a wildcard name. For example: If the RADIUS server certificate’s Common Name = radius.domain.com Connect to these server names should be radius.domain.com If the RADIUS server certificate’s Common Name = radius.lab.department.domain.com Connect to these server names should be *.department.domain.com or *.domain.com Thanks Trent Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S) Network Analyst University of Louisville Phone (502) 852-1513 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C4c850a6d582947463d3508d8c9e39b81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637481326721839254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=JJYfaN6rVnBKambSk4cbAsP9Ba1WK5KtNT96fG%2B6hJ8%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and su
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Mathieu, Currently this is affecting Google Pixel 3 and up that have installed the Android 11 security patch in December. We have Google Pixel 2A w/ Android 11 but the last security patch was provided prior to the one in December and we are still to select “Do not validate” option. In conversation with some of our integrators they believe that other Android platforms will follow suit. -Respectfully, [signature_2043038681] Sr. Wireless Engineer UCF IT | Telecommunications University of Central Florida 407.823.4906 richie.penu...@ucf.edu<mailto:richie.penu...@ucf.edu> Please note: Florida has a very broad open records law (F.S. 119). Emails may be subject to public disclosure From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Mathieu Sturm Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, February 5, 2021 at 9:32 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Hello all, I’ve been testing with 2 devices (Samsung s10 upgraded to android 11 and Samsung s20 also upgraded to android 11). It seems that I’m still able to select “Do not validate” on these devices. Is this because these devices were upgraded to android 11 and that the newer devices which were released with android 11 don’t allow the “Do not validate”? Or are the pixel phones the only ones? Regards, Mathieu Van: The EDUCAUSE Wireless Issues Community Group Listserv Namens Hurt,Trenton W. Verzonden: maandag 1 februari 2021 22:47 Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Onderwerp: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuration item is for clients to validate a RADIUS server certificate chain during an EAP authentication. Clients would forward its requests only when the received server certificate is signed by the CA that is configured on the SecureW2 Network Profile. It may be required to upload only the Root CA of the RADIUS server certificate, however, in some cases, the full chain may need to be provided. What is the Connect to these server names field? This field is used to specify the name of your RADIUS server certificate using its Common Name. If there is only one RADIUS server in your setup, you can quickly find this name from the certificate. If there are more than one RADIUS servers, or if the RADIUS server Common Name has more than two subdomains, we advise to use a wildcard name. For example: If the RADIUS server certificate’s Common Name = radius.domain.com Connect to these server names should be radius.domain.com If the RADIUS server certificate’s Common Name = radius.lab.department.domain.com Connect to these server names should be *.department.domain.com or *.domain.com Thanks Trent Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S) Network Analyst University of Louisville Phone (502) 852-1513 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Crichie.penuela%40UCF.EDU%7C2344548c672046c5234108d8c9e2ea0d%7Cbb932f15ef3842ba91fcf3c59d5dd1f1%7C0%7C0%7C637481323722570082%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=etKWqtCfubA873wO9CPO56%2FK2QxMYyH6CpKdxg%2F5rE4%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Crichie.penuela%40UCF.EDU%7C2344548c672046c5234108d8c9e2ea0d%7Cbb932f15ef3842ba91fcf3c59d5dd1f1%7C0%7C0%7C637481323722580085%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
RE: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
FYI Tim you are correct in the android update in Dec are the changes and these additional pieces are securew2 specific. This is what support told me The change that was done by android in dec is that any manual connection attempt would not work with these config in place. Our SecureW2 application in playstore wasn't updated since then but now the application needs to be updated and when the app is updated it needs to make sure android 11 can be configured with the specified parameters. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hurt,Trenton W. Sent: Monday, February 1, 2021 6:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. LOL if it's working now on those android 11 devices as is then I guess it is. And if it's not well then Feb 15th I guess will be fun Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can't comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it's not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Trenton Hurt mailto:trenth...@gmail.com>> Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don't have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn't sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here... I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I'll try to find a link) then what it means is - after this update, you can't tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is... * If you're organization has any endpoints that have been configured to use a secured network but are ignoring the server's certificate - then that will STOP working suddenly at the update. * This setting (ignore/don't validate server cert) is not ideal but it's prevalent especially for things l
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I'd be down for a QR code that onboards clients. Just put up a warning saying, "hey, this is a camera-readable password" before clicking to reveal it. I don't particularly care about a 100x zoom if my back is to a wall. Walk in support could easily setup a kiosk that makes it a non-issue. For walk-in support, an NFC pad would also work really well. Of course, this only works on devices that you can easily use the camera or NFC on, but those also tend to be the more difficult devices to on-board. On 2021-02-02 18:55:59+, Tim Cappalli wrote: > Yeah, I think you're asking for a profile-like configuration mechanism on > Android which is different than invocation of provisioning. I agree and hope > there will be some traction in this area in the future. > > For the time being though, you could still have a generic QR code that takes > users to a landing page where you can use UA detection to invoke the correct > flow, be it a profile download or just instructions. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > <0211f6bc0913-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, February 2, 2021 13:53 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: > [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb > 15th 2021 > > That's fair, and it's why I included the bit about requiring existing > connectivity. I think in my mind, if there was a certificate involved, it > would be downloaded from the Internet once the QR code was scanned. This is > similar to what you can do with .mobileconfig files on iOS. You do have to > find a way to get the .mobileconfig file into Safari on the device, but once > you do that, the configuration process is quite streamlined. An Android > equivalent would be amazing. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > I can scan a QR code with embedded credentials over your shoulder > > (I think the newest Galaxy has 100x zoom?) > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Hunter Fuller > <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> > Sent: Tuesday, February 2, 2021 13:45 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: > [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I don't follow how sending someone configuration via a QR code on our > website, would have a different trust profile from showing instructions on > that same website, or sending them to eduroam CAT from that website. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> > wrote: > While UX is great with QR codes, security and trust is challenging. > > You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy > Connect but those have other security layers baked on top. > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > on behalf of Hunter Fuller > <00000211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> > Sent: Tuesday, February 2, 2021 13:41 > To: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming > changes Feb 15th 2021 > > I wish there was a QR schema. Even if it only worked on devices with another > connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right no
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Yeah, I think you're asking for a profile-like configuration mechanism on Android which is different than invocation of provisioning. I agree and hope there will be some traction in this area in the future. For the time being though, you could still have a generic QR code that takes users to a landing page where you can use UA detection to invoke the correct flow, be it a profile download or just instructions. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 13:53 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 That's fair, and it's why I included the bit about requiring existing connectivity. I think in my mind, if there was a certificate involved, it would be downloaded from the Internet once the QR code was scanned. This is similar to what you can do with .mobileconfig files on iOS. You do have to find a way to get the .mobileconfig file into Safari on the device, but once you do that, the configuration process is quite streamlined. An Android equivalent would be amazing. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: I can scan a QR code with embedded credentials over your shoulder (I think the newest Galaxy has 100x zoom?) From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 13:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I don't follow how sending someone configuration via a QR code on our website, would have a different trust profile from showing instructions on that same website, or sending them to eduroam CAT from that website. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: While UX is great with QR codes, security and trust is challenging. You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy Connect but those have other security layers baked on top. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 13:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I wish there was a QR schema. Even if it only worked on devices with another connection available (LTE, etc.) to download the config. Sigh. The closest we have right now is scanning a QR code leading to a .mobileconfig file on iOS. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Well, again, you should be properly configuring the supplicant regardless, so the instructions would apply to any version of Android RE: QR, no, enterprise authentication is not supported. A supplicant configuration tool should always be used. The supplicant was not designed to be manually configured by end users (on any OS). From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Michael Holden mailto:mhol...@datanetworksolutions.com>> Sent: Tuesday, February 2, 2021 13:16 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LA
Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
That's fair, and it's why I included the bit about requiring existing connectivity. I think in my mind, if there was a certificate involved, it would be downloaded from the Internet once the QR code was scanned. This is similar to what you can do with .mobileconfig files on iOS. You do have to find a way to get the .mobileconfig file into Safari on the device, but once you do that, the configuration process is quite streamlined. An Android equivalent would be amazing. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:48 PM Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > I can scan a QR code with embedded credentials over your shoulder > > (I think the newest Galaxy has 100x zoom?) > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller < > 0211f6bc0913-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 13:45 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] > Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > I don't follow how sending someone configuration via a QR code on our > website, would have a different trust profile from showing instructions on > that same website, or sending them to eduroam CAT from that website. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > While UX is great with QR codes, security and trust is challenging. > > You'll start to see more QR-based provisioning with IoT as part of Wi-Fi > Easy Connect but those have other security layers baked on top. > > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller < > 0211f6bc0913-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 13:41 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 > upcoming changes Feb 15th 2021 > > I wish there was a QR schema. Even if it only worked on devices with > another connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right now is scanning a QR code leading to a > .mobileconfig file on iOS. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > Well, again, you should be properly configuring the supplicant regardless, > so the instructions would apply to any version of Android > > RE: QR, no, enterprise authentication is not supported. A supplicant > configuration tool should always be used. The supplicant was not designed > to be manually configured by end users (on any OS). > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden < > mhol...@datanetworksolutions.com> > *Sent:* Tuesday, February 2, 2021 13:16 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > We've seen much the same. > A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate > option, but the Pixel3XL did not. > > We added the CA cert to a subpage on the guest captive portal for ease of > access to the Wireless device, and provided some instructions for the > devices. > The workflow to manually add the Wireless Trust was a bit flaky too with > Modify Settings not really working. > > The instruction set that appeared to work as of the current (January 2021) > Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: > > >1. Download the CA cert from the ClearPass Guest Captive Portal Page >2. Go to Settings >3. Network & Internet >4. Wi-Fi >5. Wi-Fi preferences >6. Advanced >
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I can scan a QR code with embedded credentials over your shoulder (I think the newest Galaxy has 100x zoom?) From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 13:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I don't follow how sending someone configuration via a QR code on our website, would have a different trust profile from showing instructions on that same website, or sending them to eduroam CAT from that website. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: While UX is great with QR codes, security and trust is challenging. You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy Connect but those have other security layers baked on top. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu<mailto:0211f6bc0913-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 13:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I wish there was a QR schema. Even if it only worked on devices with another connection available (LTE, etc.) to download the config. Sigh. The closest we have right now is scanning a QR code leading to a .mobileconfig file on iOS. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Well, again, you should be properly configuring the supplicant regardless, so the instructions would apply to any version of Android RE: QR, no, enterprise authentication is not supported. A supplicant configuration tool should always be used. The supplicant was not designed to be manually configured by end users (on any OS). From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Michael Holden mailto:mhol...@datanetworksolutions.com>> Sent: Tuesday, February 2, 2021 13:16 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 We've seen much the same. A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate option, but the Pixel3XL did not. We added the CA cert to a subpage on the guest captive portal for ease of access to the Wireless device, and provided some instructions for the devices. The workflow to manually add the Wireless Trust was a bit flaky too with Modify Settings not really working. The instruction set that appeared to work as of the current (January 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: 1. Download the CA cert from the ClearPass Guest Captive Portal Page 2. Go to Settings 3. Network & Internet 4. Wi-Fi 5. Wi-Fi preferences 6. Advanced 7. Install Certificate 8. Choose the Certificate downloaded in the first step 9. Name the Certificate 10. Connect to the Secure SSID * Change the Certificate from System Certs to the Certificate name entered in the previous step * Domain to * Identity as the username * Password as the user’s password * Connect 11. Confirm Wireless is connected to the WPA2-Enterprise SSID * You may have to forget and add network as the Modify Setting on the SSID does not appear to work properly as of January, 2021 Android Software release There is a QR code that can be created for PSK networks, has anyone seen if this is possible for WPA2/3-Enterprise? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
this is my favorite QR code use it as my profile pic :) [image: image.png] I and our help desk love the CAT tool On Tue, Feb 2, 2021 at 10:41 AM Hunter Fuller < 0211f6bc0913-dmarc-requ...@listserv.educause.edu> wrote: > I wish there was a QR schema. Even if it only worked on devices with > another connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right now is scanning a QR code leading to a > .mobileconfig file on iOS. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > >> Well, again, you should be properly configuring the supplicant >> regardless, so the instructions would apply to any version of Android >> >> RE: QR, no, enterprise authentication is not supported. A supplicant >> configuration tool should always be used. The supplicant was not designed >> to be manually configured by end users (on any OS). >> >> >> -- >> *From:* The EDUCAUSE Wireless Issues Community Group Listserv < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden < >> mhol...@datanetworksolutions.com> >> *Sent:* Tuesday, February 2, 2021 13:16 >> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 >> >> We've seen much the same. >> A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate >> option, but the Pixel3XL did not. >> >> We added the CA cert to a subpage on the guest captive portal for ease of >> access to the Wireless device, and provided some instructions for the >> devices. >> The workflow to manually add the Wireless Trust was a bit flaky too with >> Modify Settings not really working. >> >> The instruction set that appeared to work as of the current (January >> 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: >> >> >>1. Download the CA cert from the ClearPass Guest Captive Portal Page >>2. Go to Settings >>3. Network & Internet >>4. Wi-Fi >>5. Wi-Fi preferences >>6. Advanced >>7. Install Certificate >>8. Choose the Certificate downloaded in the first step >>9. Name the Certificate >>10. Connect to the Secure SSID >> 1. Change the Certificate from System Certs to the Certificate >> name entered in the previous step >> 2. Domain to >> 3. Identity as the username >> 4. Password as the user’s password >> 5. Connect >>11. Confirm Wireless is connected to the WPA2-Enterprise SSID >> 1. You may have to forget and add network as the Modify Setting on >> the SSID does not appear to work properly as of January, 2021 Android >> Software release >> >> >> >> There is a QR code that can be created for PSK networks, has anyone seen >> if this is possible for WPA2/3-Enterprise? >> >> >> -- >> *From:* The EDUCAUSE Wireless Issues Community Group Listserv < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli < >> 0194c9ecac40-dmarc-requ...@listserv.educause.edu> >> *Sent:* Tuesday, February 2, 2021 12:54 >> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 >> >> Screenshot please. >> >> >> -- >> *From:* The EDUCAUSE Wireless Issues Community Group Listserv < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds < >> wa...@umich.edu> >> *Sent:* Tuesday, February 2, 2021 12:46 >> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < >> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >> *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 >> >> Can someone explain something to me? >> >> I have a Pixel 3 that I did a factory rest on. Next I did all the >> updates needed and it is running Android 11. The build number is >> RQ1A.210205.004 which includes the latest security patch for the phone. >> >> When I go to configure a WPA2 Enterprise network I still have the "Don't >> validate" option. >> >> What am I missing
Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I don't follow how sending someone configuration via a QR code on our website, would have a different trust profile from showing instructions on that same website, or sending them to eduroam CAT from that website. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:43 PM Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > While UX is great with QR codes, security and trust is challenging. > > You'll start to see more QR-based provisioning with IoT as part of Wi-Fi > Easy Connect but those have other security layers baked on top. > > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller < > 0211f6bc0913-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 13:41 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 > upcoming changes Feb 15th 2021 > > I wish there was a QR schema. Even if it only worked on devices with > another connection available (LTE, etc.) to download the config. Sigh. > > The closest we have right now is scanning a QR code leading to a > .mobileconfig file on iOS. > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > > On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > Well, again, you should be properly configuring the supplicant regardless, > so the instructions would apply to any version of Android > > RE: QR, no, enterprise authentication is not supported. A supplicant > configuration tool should always be used. The supplicant was not designed > to be manually configured by end users (on any OS). > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden < > mhol...@datanetworksolutions.com> > *Sent:* Tuesday, February 2, 2021 13:16 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > We've seen much the same. > A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate > option, but the Pixel3XL did not. > > We added the CA cert to a subpage on the guest captive portal for ease of > access to the Wireless device, and provided some instructions for the > devices. > The workflow to manually add the Wireless Trust was a bit flaky too with > Modify Settings not really working. > > The instruction set that appeared to work as of the current (January 2021) > Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: > > >1. Download the CA cert from the ClearPass Guest Captive Portal Page >2. Go to Settings >3. Network & Internet >4. Wi-Fi >5. Wi-Fi preferences >6. Advanced >7. Install Certificate >8. Choose the Certificate downloaded in the first step >9. Name the Certificate >10. Connect to the Secure SSID > 1. Change the Certificate from System Certs to the Certificate name > entered in the previous step > 2. Domain to > 3. Identity as the username > 4. Password as the user’s password > 5. Connect >11. Confirm Wireless is connected to the WPA2-Enterprise SSID > 1. You may have to forget and add network as the Modify Setting on > the SSID does not appear to work properly as of January, 2021 Android > Software release > > > > There is a QR code that can be created for PSK networks, has anyone seen > if this is possible for WPA2/3-Enterprise? > > > ------ > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 12:54 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Screenshot please. > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds < >
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
While UX is great with QR codes, security and trust is challenging. You'll start to see more QR-based provisioning with IoT as part of Wi-Fi Easy Connect but those have other security layers baked on top. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller <0211f6bc0913-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 13:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I wish there was a QR schema. Even if it only worked on devices with another connection available (LTE, etc.) to download the config. Sigh. The closest we have right now is scanning a QR code leading to a .mobileconfig file on iOS. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Well, again, you should be properly configuring the supplicant regardless, so the instructions would apply to any version of Android RE: QR, no, enterprise authentication is not supported. A supplicant configuration tool should always be used. The supplicant was not designed to be manually configured by end users (on any OS). From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Michael Holden mailto:mhol...@datanetworksolutions.com>> Sent: Tuesday, February 2, 2021 13:16 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 We've seen much the same. A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate option, but the Pixel3XL did not. We added the CA cert to a subpage on the guest captive portal for ease of access to the Wireless device, and provided some instructions for the devices. The workflow to manually add the Wireless Trust was a bit flaky too with Modify Settings not really working. The instruction set that appeared to work as of the current (January 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: 1. Download the CA cert from the ClearPass Guest Captive Portal Page 2. Go to Settings 3. Network & Internet 4. Wi-Fi 5. Wi-Fi preferences 6. Advanced 7. Install Certificate 8. Choose the Certificate downloaded in the first step 9. Name the Certificate 10. Connect to the Secure SSID * Change the Certificate from System Certs to the Certificate name entered in the previous step * Domain to * Identity as the username * Password as the user’s password * Connect 11. Confirm Wireless is connected to the WPA2-Enterprise SSID * You may have to forget and add network as the Modify Setting on the SSID does not appear to work properly as of January, 2021 Android Software release There is a QR code that can be created for PSK networks, has anyone seen if this is possible for WPA2/3-Enterprise? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 12:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot please. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Walter Reynolds mailto:wa...@umich.edu>> Sent: Tuesday, February 2, 2021 12:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. ma
Re: [External] Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
I wish there was a QR schema. Even if it only worked on devices with another connection available (LTE, etc.) to download the config. Sigh. The closest we have right now is scanning a QR code leading to a .mobileconfig file on iOS. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Feb 2, 2021 at 12:29 PM Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > Well, again, you should be properly configuring the supplicant regardless, > so the instructions would apply to any version of Android > > RE: QR, no, enterprise authentication is not supported. A supplicant > configuration tool should always be used. The supplicant was not designed > to be manually configured by end users (on any OS). > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Holden < > mhol...@datanetworksolutions.com> > *Sent:* Tuesday, February 2, 2021 13:16 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > We've seen much the same. > A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate > option, but the Pixel3XL did not. > > We added the CA cert to a subpage on the guest captive portal for ease of > access to the Wireless device, and provided some instructions for the > devices. > The workflow to manually add the Wireless Trust was a bit flaky too with > Modify Settings not really working. > > The instruction set that appeared to work as of the current (January 2021) > Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: > > >1. Download the CA cert from the ClearPass Guest Captive Portal Page >2. Go to Settings >3. Network & Internet >4. Wi-Fi >5. Wi-Fi preferences >6. Advanced >7. Install Certificate >8. Choose the Certificate downloaded in the first step >9. Name the Certificate >10. Connect to the Secure SSID > 1. Change the Certificate from System Certs to the Certificate name > entered in the previous step > 2. Domain to > 3. Identity as the username > 4. Password as the user’s password > 5. Connect >11. Confirm Wireless is connected to the WPA2-Enterprise SSID > 1. You may have to forget and add network as the Modify Setting on > the SSID does not appear to work properly as of January, 2021 Android > Software release > > > > There is a QR code that can be created for PSK networks, has anyone seen > if this is possible for WPA2/3-Enterprise? > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> > *Sent:* Tuesday, February 2, 2021 12:54 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Screenshot please. > > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Walter Reynolds < > wa...@umich.edu> > *Sent:* Tuesday, February 2, 2021 12:46 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Can someone explain something to me? > > I have a Pixel 3 that I did a factory rest on. Next I did all the updates > needed and it is running Android 11. The build number is RQ1A.210205.004 > which includes the latest security patch for the phone. > > When I go to configure a WPA2 Enterprise network I still have the "Don't > validate" option. > > What am I missing here? > > > Walter Reynolds > Network Architect > Information and Technology Services > University of Michigan > (734) 615-9438 > > > On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. > wrote: > > LOL if it’s working now on those android 11 devices as is then I guess it > is. And if it’s not well then Feb 15th I guess will be fun > > Trent Hurt > > University of Louisville > > ---------- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli < > 0194c9ecac40-dmarc-requ...@li
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Well, again, you should be properly configuring the supplicant regardless, so the instructions would apply to any version of Android RE: QR, no, enterprise authentication is not supported. A supplicant configuration tool should always be used. The supplicant was not designed to be manually configured by end users (on any OS). From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Michael Holden Sent: Tuesday, February 2, 2021 13:16 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 We've seen much the same. A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate option, but the Pixel3XL did not. We added the CA cert to a subpage on the guest captive portal for ease of access to the Wireless device, and provided some instructions for the devices. The workflow to manually add the Wireless Trust was a bit flaky too with Modify Settings not really working. The instruction set that appeared to work as of the current (January 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: 1. Download the CA cert from the ClearPass Guest Captive Portal Page 2. Go to Settings 3. Network & Internet 4. Wi-Fi 5. Wi-Fi preferences 6. Advanced 7. Install Certificate 8. Choose the Certificate downloaded in the first step 9. Name the Certificate 10. Connect to the Secure SSID * Change the Certificate from System Certs to the Certificate name entered in the previous step * Domain to * Identity as the username * Password as the user’s password * Connect 11. Confirm Wireless is connected to the WPA2-Enterprise SSID * You may have to forget and add network as the Modify Setting on the SSID does not appear to work properly as of January, 2021 Android Software release There is a QR code that can be created for PSK networks, has anyone seen if this is possible for WPA2/3-Enterprise? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 12:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot please. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Walter Reynolds Sent: Tuesday, February 2, 2021 12:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: LOL if it’s working now on those android 11 devices as is then I guess it is. And if it’s not well then Feb 15th I guess will be fun Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices aut
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
We've seen much the same. A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate option, but the Pixel3XL did not. We added the CA cert to a subpage on the guest captive portal for ease of access to the Wireless device, and provided some instructions for the devices. The workflow to manually add the Wireless Trust was a bit flaky too with Modify Settings not really working. The instruction set that appeared to work as of the current (January 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: 1. Download the CA cert from the ClearPass Guest Captive Portal Page 2. Go to Settings 3. Network & Internet 4. Wi-Fi 5. Wi-Fi preferences 6. Advanced 7. Install Certificate 8. Choose the Certificate downloaded in the first step 9. Name the Certificate 10. Connect to the Secure SSID * Change the Certificate from System Certs to the Certificate name entered in the previous step * Domain to * Identity as the username * Password as the user’s password * Connect 11. Confirm Wireless is connected to the WPA2-Enterprise SSID * You may have to forget and add network as the Modify Setting on the SSID does not appear to work properly as of January, 2021 Android Software release There is a QR code that can be created for PSK networks, has anyone seen if this is possible for WPA2/3-Enterprise? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, February 2, 2021 12:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot please. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Walter Reynolds Sent: Tuesday, February 2, 2021 12:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: LOL if it’s working now on those android 11 devices as is then I guess it is. And if it’s not well then Feb 15th I guess will be fun Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it’s not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Trenton Hurt mailto:trenth...@gmail.com>> Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Screenshot please. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Walter Reynolds Sent: Tuesday, February 2, 2021 12:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: LOL if it’s working now on those android 11 devices as is then I guess it is. And if it’s not well then Feb 15th I guess will be fun Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it’s not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Trenton Hurt mailto:trenth...@gmail.com>> Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don’t have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn’t sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. wrote: > LOL if it’s working now on those android 11 devices as is then I guess it > is. And if it’s not well then Feb 15th I guess will be fun > > Trent Hurt > > University of Louisville > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli < > 0194c9ecac40-dmarc-requ...@listserv.educause.edu> > *Sent:* Monday, February 1, 2021 6:06:41 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > *CAUTION:* This email originated from outside of our organization. Do not > click links, open attachments, or respond unless you recognize the sender's > email address and know the contents are safe. > If the supplicant is properly configured, then yes. > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hurt,Trenton W. < > trent.h...@louisville.edu> > *Sent:* Monday, February 1, 2021 18:03 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > Tim > > I know you can’t comment specifically on my setup or environment but if I > have android 11 pixel 4 and others that have the December update already > and the do not validate is not an option for those devices but they can use > our onboard eap tls workflow and the devices auth via that method. Do you > think that my setup (regardless if it’s not the most secure way or > whatever) will still work after this feb 15 date? > > Trent Hurt > > University of Louisville > > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Trenton Hurt < > trenth...@gmail.com> > *Sent:* Monday, February 1, 2021 5:55:20 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > *CAUTION:* This email originated from outside of our organization. Do not > click links, open attachments, or respond unless you recognize the sender's > email address and know the contents are safe. > Android 11 (pixels 4 and other google handsets) have been doing the do not > validate since early dec and for us it meant eap peap unmanaged over the > air ( yes I know Tim this is not secure method but just how it is or was > anyway). Now those users don’t have eap peap option and we have been > moving them to our eap tls onboarding and this has been working for those > android 11 users. I just wasn’t sure if these were additional security > measures that I needed to look out for or make some changes to my onboard > profile stuff to make sure these android 11 still work after February 15 > > On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella wrote: > > I may disagree with some of the other feedback here… I think this is a > big deal. > > > > It sounds like Google will be enforcing proper server validation for > 802.1X-secured networks, based on what Trent sent originally. I believe > Apple already has been enforcing this for a bit. > > > > If my guess is correct (I’ll try to find a link) then what it means is – > after this update, you can’t tell the endpoint to ignore or bypass the > server certificate for 802.1X (any EAP method). > > > > The impact of this is… > >- If you’re organization has any endpoints that have been configured >to use a secured network but are ignoring the server’s certificate – then >that will STOP working suddenly at the update. >- This setting (ignore/don’t validate server cert) is not ideal but >it’s prevalent especially for things like BYOD or HED device onboarding, >testing, etc. It should be fixed but this is one of those things that could >have a huge widespread impact if the endpoints/networks aren’t configured >properly now. >- Typically prope
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
LOL if it’s working now on those android 11 devices as is then I guess it is. And if it’s not well then Feb 15th I guess will be fun Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hurt,Trenton W. Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it’s not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Trenton Hurt Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don’t have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn’t sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren’t configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn’t done then the endpoints may not have the server certificate installed and trusted, and if that’s the case they will just cease to work after the device upgrade. Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links… * A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C3099bf0cdf5f42530d6308d8c70610f2%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478176169445241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ygzihI98y6TaviKEzXG2xW70Y1ySpD%2FsLHD17Q1%2BEL8%3D=0> The security patch for Android 11 (QPR1) will remove the "Do not validate"
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
If the supplicant is properly configured, then yes. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hurt,Trenton W. Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it’s not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Trenton Hurt Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don’t have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn’t sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren’t configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn’t done then the endpoints may not have the server certificate installed and trusted, and if that’s the case they will just cease to work after the device upgrade. Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links… * A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C22a612d19cdc4eef95f308d8c705a9ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637478174567573324%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=oUuvfMi%2Fx9Ym38io5NLFlm6jWFBagdwCm7rRHc4XOoo%3D=0> The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! * Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C22a612d19cdc4eef95f308d8c705a9ee%7C72f988bf86f141af91ab2d7cd011db47%7C1
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Tim I know you can’t comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it’s not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Trenton Hurt Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don’t have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn’t sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren’t configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn’t done then the endpoints may not have the server certificate installed and trusted, and if that’s the case they will just cease to work after the device upgrade. Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links… * A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7Cf95b64f4924648b1ea8708d8c7047c98%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478169382633594%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Q%2BQQYxibRHemZudM8B1JfF44HATKRiGqOSyohxdM9Tw%3D=0> The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! * Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7Cf95b64f4924648b1ea8708d8c7047c98%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478169382643589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Mb92S3tIPVzjZYkYIK6L0EZ7MagNpbbCpFQ4i43Ldmk%3D=0> * ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://nam03.safelinks.protection.outlook.com/?url=http%3
Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021
Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don’t have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn’t sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella wrote: > I may disagree with some of the other feedback here… I think this is a > big deal. > > > > It sounds like Google will be enforcing proper server validation for > 802.1X-secured networks, based on what Trent sent originally. I believe > Apple already has been enforcing this for a bit. > > > > If my guess is correct (I’ll try to find a link) then what it means is – > after this update, you can’t tell the endpoint to ignore or bypass the > server certificate for 802.1X (any EAP method). > > > > The impact of this is… > >- If you’re organization has any endpoints that have been configured >to use a secured network but are ignoring the server’s certificate – then >that will STOP working suddenly at the update. >- This setting (ignore/don’t validate server cert) is not ideal but >it’s prevalent especially for things like BYOD or HED device onboarding, >testing, etc. It should be fixed but this is one of those things that could >have a huge widespread impact if the endpoints/networks aren’t configured >properly now. >- Typically proper settings for secured 1X networks are pushed through >GPO, MDM, or an onboarding process through vendor tools (can be a >server-based tool or a client-based config assist tool). If that wasn’t >done then the endpoints may not have the server certificate installed and >trusted, and if that’s the case they will just cease to work after the >device upgrade. > > > > Tim it’s not referencing a wildcard cert; they’re still using the specific > FQDN for the COMMON NAME. The article references the connect to domains as > a different field which is not the certificate CN.. ? > > > > Yeah, here are some links… > >- *A reddit article I hope is accurate b/c I only skimmed it * > > > https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/ > > The security patch for Android 11 (QPR1) will remove the "Do not validate" > option under "CA certificate" for EAP server certificate validation to > prevent misconfiguration resulting in credential leaks. This is very good > news from a security standpoint! > >- *Secure W2 article with the setting in reference to WPA3 (which >removes several less-secure options for confgs)* > > > https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/ > >- > > > > > > ___ > > *Jennifer Minella*, CISSP, HP MASE > > VP of Engineering & Security > > Carolina Advanced Digital, Inc. > > www.cadinc.com > > j...@cadinc.com > > 919.460.1313 Main Office > > 919.539.2726 Mobile/text > > [image: CAD LOGO EMAIL SIG] > > > > *From:* Hurt,Trenton W. > *Sent:* Monday, February 1, 2021 4:54 PM > *Subject:* Re: android 11 upcoming changes Feb 15th 2021 > > > > Ok thanks as always for clarification as ive been seeing android 11 on > campus and they work with our current eap tls onboard workflow. I wasn’t > sure if something else was coming on feb 15th that would cause some issue > with this setup > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli > *Sent:* Monday, February 1, 2021 4:51 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 > > > > *CAUTION:* This email originated from outside of our organization. Do not > click links, open attachments, or respond unless you recognize the sender's > email address and know the contents are safe. > > This is a bit misleading IMO. There are no further changes in Android 11 > after the December update. > > > > Seems like this is specific to Secure W2's product. > > > > As a general best practice, you should be using a single EAP server > certificate, signed using a PKI in your control, across your all your > RADIUS servers. > > > > It is very poor practice to use a wildcard for EAP subject name matching. &
