Re: [WIRELESS-LAN] Onboarding Android devices

Tue, 07 Aug 2018 16:59:42 -0700 

PEAP is not standardized and was not designed to be used outside a Windows 
AD-joined, GPO controlled environment. 

I'm hoping Google's changes (very welcome IMO) and continued restrictions on 
Apple platforms will steer people away from legacy, deprecated protocols/EAP 
methods.

tim


On 8/7/18, 3:25 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Norman Elton" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
normel...@gmail.com> wrote:

    We've got an encrypted network with the classic PEAP + MSCHAPv2 combo,
    allowing users to connect with their domain credentials. We've shied
    away from onboarding tools like SecureW2, especially for student
    devices, as they seem more cumbersome than just having the user
    configure the connection properly the first time.
    
    Preparing for the fall, we've noticed that recent versions of Android
    make the process a little more cumbersome. It appears that 8.1 & 9.0
    allow the user to validate the certificate by domain, which is great.
    Although the steps to get this setup are far from intuitive.
    
    8.0 doesn't give that option, instead displaying a scary warning,
    "This connection will not be secure". The user is forced to go ahead
    with "do not validate certificate", leaving them open to leak their
    credentials to a rogue AP. Far from ideal.
    
    Theoretically, we could ask the user to trust the CA certificate in
    advance, and (hopefully) the warning message would go away. But I
    haven't gotten this to work.
    
    Is there a general consensus that these devices are better served with
    an onboarding tool that can accommodate the various flavors of
    Android? Or is there a recipe for a user to setup 802.1x securely
    (with some sort of certificate validation) on Android devices pre-8.1?
    
    Thanks,
    
    Norman Elton
    
    **********
    Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.
    


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Reply via email to