I have upgraded to Android 11, removed all user certificates and onboarded with Aruba QuickConnect. I am able to connect, but can verify that the setting is now 'Do No Validate' for server certificate.
I downloaded and installed the certificate with the long instructions below. I was able to change to 'Use System Certificates' and update domain. This is far from ideal in my opinion. -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Higgins, Benjamin J Sent: Friday, September 11, 2020 8:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Article: Android 11 tightens restrictions on CA certificates **** EXTERNAL EMAIL **** Can confirm that this "feature" has prevented SecureW2 from onboarding Android 11 devices to our network. While the app appears to *deliver* the certificates - they are in the drop down when you edit the WiFi Profile - if you attempt to connect to the network is sits and spins. If you edit the profile again, you will find that the SecureW2 delivered certificate is no longer in the drop down list. Only "Use system certificates" or "Do not validate" is there... -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jonathan Waldrep Sent: Friday, September 11, 2020 8:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [EXT] Re: [WIRELESS-LAN] Article: Android 11 tightens restrictions on CA certificates On 2020-09-10 22:19:21, Johnson, Christopher wrote: > This popped up in my news feed, that's going to affect the user experience > even more for onboarding apps for those with private CAs I'd imagine. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fhttptoolkit.tech-252Fblog-252Fandroid-2D11-2Dtrust-2Dca-2Dcertificates-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DOLv50t-252FT-252Fjj9eK1Dhj05DgE2YspIyuAKrdT5HIbpQs8-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=BBAbHepRrWpyDU_wQzMFGJSYfok-E7D1A152G3FPtyU&e= > > "In Android 11, to install a CA certificate, users need to manually: > > * Open settings > * Go to 'Security' > * Go to 'Encryption & Credentials' > * Go to 'Install from storage' > * Select 'CA Certificate' from the list of types available > * Accept a large scary warning > * Browse to the certificate file on the device and open it > * Confirm the certificate install > > Applications and automation tools can send you to the general 'Security' > settings page, but no further: from there the user must go alone (fiddly if > not impossible with test automation tools) tldr: I don't think this impacts certificates installed for Wi-Fi networks. They are handled differently. I would like someone who has experience with actually writing an on-boarding app to chime in, though. Longer dive: It is worth noting that when you manually install a CA in Android, it asks if you want to install it for "VPN and apps" or "Wi-Fi" (at least on Android 9, which is what I'm on). This indicates there is something different on the back end. >From the article, it seems to stem from Google locking down the >KeyChain.createInstallIntent() API method [1] in the >https://urldefense.proofpoint.com/v2/url?u=http-3A__android.security&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=eIYCAIH_iPNptUM3bidJAy9Zv5C74atVJ8LINirNjgk&e= > package. Ultimately what we are after is setting up a wireless profile. How >does that work? Well, there is an android.net.wifi package [2]. Let's look >there. There is a WifiConfiguration class, but there is a note that it was deprecated in API level 29 (Android 10), and to use WifiNetworkSpecifier.Builder instead [3]. The article is specifically about Android 11, so we don't care about older versions. In the WifiNetworkSpecifier.Builder class, there is a public method setWpa2EnterpriseConfig(WifiEnterpriseConfig enterpriseConfig). So we need a WifiEnterpriseConfig class [4]. The WifiEnterpriseConfig class has a method setCaCertificate(X509Certificate cert) [5] which, as you may have guessed, is used to "Specify a X.509 certificate that identifies the server." This takes an X509Certificate class, which is part of the java.security.cert package. We should be able to provide that irrespective of what Android does. That is all good in theory, but what does an actual onboarding app do? The only open source one I'm aware of is eduroamCAT [6]. It seems to have issues with Android 10 [7], so it may not be the best example, but it's what I can find. A quick grep of the repository for "createInstallIntent" returns no hits. That's a good sign. Similarly, a grep for "setCaCertificate" has a hit in src/uk/ac/swansea/eduroamcat/https://urldefense.proofpoint.com/v2/url?u=http-3A__WifiConfigAPI18.java&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=jvXsHOI4O-CBKwPEKagA-5_ntV8POTWb9HL67ImgiuI&e= . So it looks like eduroamCAT needs updated for API level 29, but it doesn't use the problematic method from the article (which was added in API level 14). [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdeveloper.android.com-252Freference-252Fandroid-252Fsecurity-252FKeyChain-2523createInstallIntent-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DrX0467d89iKWgBXyy05YvtLHWjeGdXayJWCpG25DQug-253D-26amp-3Breserved-3D0-28-29&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=EVnpa3f2kNxKyj_tYKhP5sTGqjsdQBH3xAcV-ddrLmI&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdeveloper.android.com-252Freference-252Fandroid-252Fnet-252Fwifi-252Fpackage-2Dsummary-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DBBaurXtPgq9H9CG8bG79Gln5Wd8OCBVTd5g4GDcOdks-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=_3_r-YOudbzjWh6CyAnFO69pMml6AztAmep_N8a0gnQ&e= [3] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdeveloper.android.com-252Freference-252Fandroid-252Fnet-252Fwifi-252FWifiNetworkSpecifier.Builder-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DUw8xu4AG-252BLonAyH0QYZfZEcknGkxsyFyff9TmomHe-252Bk-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=aEHbX9DnkHODIu7CaVLsE2rbgkox0X5Fg8OYTr4QV18&e= [4] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdeveloper.android.com-252Freference-252Fandroid-252Fnet-252Fwifi-252FWifiEnterpriseConfig-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DKfWGfYrmVfo3fRHWuZgovkaF1v-252BuVRFw42MUCkv3WX4-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=WFJqQ1ugJEKn9Yv0i3-2RUi_ympzny0P0x94unSB7LA&e= [5] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fdeveloper.android.com-252Freference-252Fandroid-252Fnet-252Fwifi-252FWifiEnterpriseConfig-2523setCaCertificate-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483916966-26amp-3Bsdata-3DBlznjgQLt1nfTQqd-252FoJYmpWUn5s1szz0jmznk4SobDc-253D-26amp-3Breserved-3D0-28java.security.cert.X509Certificate-29&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=MMzQmdg2bD5L4IGWHnShTKb73Y-xztNGt5O6kEuG6Zg&e= [6] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FGEANT-252FCAT-2DAndroid-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483926957-26amp-3Bsdata-3DRlNGw8V5GAlvjPbAJCpytxRcjNOmtXVGzDNOkhhybkQ-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=6xOORTNdmSiEuq_HBNHn9H6k_K8gxk19trpWOcFYWkY&e= [7] https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FGEANT-252FCAT-2DAndroid-252Fissues-252F37-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483926957-26amp-3Bsdata-3DK2TQU7hUVdKV97FDepI26GN-252BgaAnl8Uw4xuZOz-252BXt1U-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=x2D1DAs8Afu7zv5JLW26vEIuJP03pXpMvrhDaGTY6DU&e= -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://urldefense.proofpoint.com/v2/url?u=https-3A__nam03.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26amp-3Bdata-3D02-257C01-257Cbjhiggins-2540WPI.EDU-257C5ac7d0e54c9043231cc208d8564faaa5-257C589c76f5ca1541f9884b55ec15a0672a-257C0-257C0-257C637354247483926957-26amp-3Bsdata-3DmEQ0YMgYDX7ITdsQUvThK1-252Bgys4fnLLABSGCdYqFAFM-253D-26amp-3Breserved-3D0&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=O7coyVr-ygsudjz12TYpn8L52O_54drkXqAxs0Qr8Dw&e= ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwIFAg&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=EIjL_Sz_V0_7qwiC9Vr9UGpKyxiqtzjgT-kVvBf99pE&s=JjcaoldBB2PpAWR3B9QvN2zzXcKriB3q9lLnU5v5OLY&e= ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
