Is anyone starting to get complaints of not being able to connect to 802.1x/EAP since December’s Android updates mentioned below? I can’t seem to find any official information about this, just from the Reddit post below and a few other sources including this SecureW2 blog: https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/
https://httptoolkit.tech/blog/android-11-trust-ca-certificates/ We had a user reset their account password today, and after forgetting the network, they are no longer able to connect with their Pixel 3 XL. I was told by one of our students who went to assist this user that the menu to “Do Not Validate” is greyed out for the CA certificate. A student from the helpdesk forgot the network from their own Pixel and now cannot reconnect; a domain is required. They sent the following screenshot. [cid:image001.png@01D6EA94.F78905E0] From: The EDUCAUSE Wireless Issues Community Group Listserv <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> Date: Tuesday, October 13, 2020 at 14:27 To: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Tim, et al, So the issue with advance certificate onboarding is that it requires a process in advance that most students would have issues with. Issuing certs in advance is more of a process for company-owned devices. It doesn’t work well with BYOD clients that have dynamic VLAN placement based on returned filter-IDs from a RADIUS/NPS server. Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth and VLAN placement, and therefore, they are interested in simple auth at the expense of security. However, with Android 11 (and possibly a bit further back), that bypass of “don’t validate”, etc, isn’t an option. To have a proper cert setup get pushed out to the client, there needs to be a more complex setup on the backend than is originally thought. My server and AD team is actively working on this. This article is a good place to start, and it has links to other portions of the setup. I hope this helps. I’ll try to let everyone know how it works out when we are done. https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fnetworking%2Ftechnologies%2Fnps%2Fnps-manage-cert-requirements&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C8893b44473f649d94eb608d86fa576df%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637382104479605004%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2Fbjj%2FDz%2BdScw%2FzC%2FE3xfmihCpDvUkZ8RvCO1eSrXO%2FI%3D&reserved=0> __________________________________ __________________________________ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor<x-apple-data-detectors://0/1> New York, NY, 10011<x-apple-data-detectors://0/1> LL: 212-592-2416<tel:212-592-2416> E: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> _______________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device _______________________________ On Oct 13, 2020, at 14:00, Tim Cappalli <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> wrote: Just do a quick Google search and you’ll see how many situations instruct users to not validate the server identity (across many operating systems). It is (and has always been) the #1 problem with legacy credentials/auth methods with tunneled EAP. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> Date: Tuesday, October 13, 2020 at 13:59 To: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification I too am also interested. Michael Catania Sr. Network Analyst Information Technology Services Loyola University Chicago P: 773.508.3712| E: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> From: Gray, Sean<mailto:[log%20in%20to%20unmask]> Sent: Tuesday, October 13, 2020 12:57 PM To: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Hi Philippe, Thanks for sharing. I’m interested to know if there are any higher Ed institutes out there that don’t onboard clients and push the necessary certs out? How will you be handling this change? Thanks Sean Sean Gray | B.Sc (Hons) Voice, Collaboration & Wireless Network Analyst ITS, University of Lethbridge From: The EDUCAUSE Wireless Issues Community Group Listserv <[log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>> On Behalf Of Philippe Hanset Sent: October 13, 2020 11:23 AM To: [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D> Subject: [WIRELESS-LAN] Android 11 and Cert Verification Caution: This email was sent from someone outside of the University of Lethbridge. Do not click on links or open attachments unless you know they are safe. Suspicious emails should be forwarded to [log in to unmask]<http://listserv.educause.edu/scripts/wa.exe?LOGON=A3%3Dind2010%26L%3DWIRELESS-LAN%26E%3Dbase64%26P%3D3243690%26B%3D--_000_DM6PR00MB06206AA8A2FA52AD73DA431995041DM6PR00MB0620namp_%26T%3Dtext%252Fhtml%3B%2520charset%3Dutf-8%26pending%3D>. It might have been mentioned on this list before. With this one, repetition might not be a bad idea… [PSA] Android 11's December security update will remove the ability to disable EAP server cert validation https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C8893b44473f649d94eb608d86fa576df%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637382104479615000%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=R%2FNRNHIULSL4i%2BHoySJdmz2KT0cu%2FWxxVK4vMJvxPMA%3D&reserved=0> Best, Philippe Philippe Hanset, CEO www.anyroam.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.anyroam.net%2F&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C8893b44473f649d94eb608d86fa576df%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637382104479624994%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ltxwSFtjexGk1MssFdQWAlzPSoaCfSXYPt8M7kmhtcI%3D&reserved=0> Operator of eduroam-US Eric Glinsky Network Administrator University of Connecticut ITS – Network Operations Temporary Administration Building 25 Gampel Service Drive | Storrs, CT 06269-1138 (860) 486-9199 e...@uconn.edu<mailto:e...@uconn.edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
