That’s the problem with non TLS EAP methods. You cannot guarantee anyone will use the process. It is a huge security issue as far as I am concerned.
Ryan Turner Senior Manager of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office > On Aug 8, 2018, at 9:39 AM, Norman Elton <normel...@gmail.com> wrote: > > Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some > users to stumble through the process? Or do you somehow encourage all > users to use the onboarding tool? Obviously the tool would be required > if you're going down the EAP-TLS path. > > Norman > On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) > <bosbo...@liberty.edu> wrote: >> >> We changed onboarding tools for non-AD devices to SecureW2 last September >> and have been more than happy with their service & support. >> >> They tend to officially support OS versions before official release, which >> can be useful in a Higher-Ed environment. >> >> Bruce Osborne >> Liberty University >> >> -----Original Message----- >> From: Norman Elton [mailto:normel...@gmail.com] >> Sent: Tuesday, August 7, 2018 3:25 PM >> Subject: Onboarding Android devices >> >> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, >> allowing users to connect with their domain credentials. We've shied away >> from onboarding tools like SecureW2, especially for student devices, as they >> seem more cumbersome than just having the user configure the connection >> properly the first time. >> >> Preparing for the fall, we've noticed that recent versions of Android make >> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the >> user to validate the certificate by domain, which is great. >> Although the steps to get this setup are far from intuitive. >> >> 8.0 doesn't give that option, instead displaying a scary warning, "This >> connection will not be secure". The user is forced to go ahead with "do not >> validate certificate", leaving them open to leak their credentials to a >> rogue AP. Far from ideal. >> >> Theoretically, we could ask the user to trust the CA certificate in advance, >> and (hopefully) the warning message would go away. But I haven't gotten this >> to work. >> >> Is there a general consensus that these devices are better served with an >> onboarding tool that can accommodate the various flavors of Android? Or is >> there a recipe for a user to setup 802.1x securely (with some sort of >> certificate validation) on Android devices pre-8.1? >> >> Thanks, >> >> Norman Elton >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/discuss. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/discuss. >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
