Having users get the certificate installed is to me more of a hassle than running the onboarding tool. It also helps with some of the less common devices. While those are fewer and farther apart it does save a little time. ------------------------ Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438
On Tue, Aug 7, 2018 at 3:38 PM Norman Elton <normel...@gmail.com> wrote: > We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, > allowing users to connect with their domain credentials. We've shied > away from onboarding tools like SecureW2, especially for student > devices, as they seem more cumbersome than just having the user > configure the connection properly the first time. > > Preparing for the fall, we've noticed that recent versions of Android > make the process a little more cumbersome. It appears that 8.1 & 9.0 > allow the user to validate the certificate by domain, which is great. > Although the steps to get this setup are far from intuitive. > > 8.0 doesn't give that option, instead displaying a scary warning, > "This connection will not be secure". The user is forced to go ahead > with "do not validate certificate", leaving them open to leak their > credentials to a rogue AP. Far from ideal. > > Theoretically, we could ask the user to trust the CA certificate in > advance, and (hopefully) the warning message would go away. But I > haven't gotten this to work. > > Is there a general consensus that these devices are better served with > an onboarding tool that can accommodate the various flavors of > Android? Or is there a recipe for a user to setup 802.1x securely > (with some sort of certificate validation) on Android devices pre-8.1? > > Thanks, > > Norman Elton > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
