FYI Tim you are correct in the android update in Dec are the changes and these additional pieces are securew2 specific. This is what support told me
The change that was done by android in dec is that any manual connection attempt would not work with these config in place. Our SecureW2 application in playstore wasn't updated since then but now the application needs to be updated and when the app is updated it needs to make sure android 11 can be configured with the specified parameters. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Hurt,Trenton W. Sent: Monday, February 1, 2021 6:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. LOL if it's working now on those android 11 devices as is then I guess it is. And if it's not well then Feb 15th I guess will be fun Trent Hurt University of Louisville ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:00000194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Monday, February 1, 2021 6:06:41 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. If the supplicant is properly configured, then yes. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. <trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 18:03 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Tim I know you can't comment specifically on my setup or environment but if I have android 11 pixel 4 and others that have the December update already and the do not validate is not an option for those devices but they can use our onboard eap tls workflow and the devices auth via that method. Do you think that my setup (regardless if it's not the most secure way or whatever) will still work after this feb 15 date? Trent Hurt University of Louisville ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Trenton Hurt <trenth...@gmail.com<mailto:trenth...@gmail.com>> Sent: Monday, February 1, 2021 5:55:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. Android 11 (pixels 4 and other google handsets) have been doing the do not validate since early dec and for us it meant eap peap unmanaged over the air ( yes I know Tim this is not secure method but just how it is or was anyway). Now those users don't have eap peap option and we have been moving them to our eap tls onboarding and this has been working for those android 11 users. I just wasn't sure if these were additional security measures that I needed to look out for or make some changes to my onboard profile stuff to make sure these android 11 still work after February 15 On Mon, Feb 1, 2021 at 5:28 PM Jennifer Minella <j...@cadinc.com<mailto:j...@cadinc.com>> wrote: I may disagree with some of the other feedback here... I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I'll try to find a link) then what it means is - after this update, you can't tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is... * If you're organization has any endpoints that have been configured to use a secured network but are ignoring the server's certificate - then that will STOP working suddenly at the update. * This setting (ignore/don't validate server cert) is not ideal but it's prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren't configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn't done then the endpoints may not have the server certificate installed and trusted, and if that's the case they will just cease to work after the device upgrade. Tim it's not referencing a wildcard cert; they're still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links... * A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564704073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=94sA1Z8xSzF%2BhZHqUg54ltjew16mEAWYognMUJZuYCQ%3D&reserved=0> The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! * Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564714068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=omrFvkSfO9pWU%2FJMtaLidgAYPvbNmKwepNeEfB7k4ro%3D&reserved=0> * ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564724064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GKBLy6X6f3faldga48sS0DOpAud%2B%2B2r1UGfCYhU8r90%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Hurt,Trenton W. <trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 4:54 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 Ok thanks as always for clarification as ive been seeing android 11 on campus and they work with our current eap tls onboard workflow. I wasn't sure if something else was coming on feb 15th that would cause some issue with this setup From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Monday, February 1, 2021 4:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. This is a bit misleading IMO. There are no further changes in Android 11 after the December update. Seems like this is specific to Secure W2's product. As a general best practice, you should be using a single EAP server certificate, signed using a PKI in your control, across your all your RADIUS servers. It is very poor practice to use a wildcard for EAP subject name matching. I'm very disappointed to see vendors making that recommendation. tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. <trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 16:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuration item is for clients to validate a RADIUS server certificate chain during an EAP authentication. Clients would forward its requests only when the received server certificate is signed by the CA that is configured on the SecureW2 Network Profile. It may be required to upload only the Root CA of the RADIUS server certificate, however, in some cases, the full chain may need to be provided. What is the Connect to these server names field? This field is used to specify the name of your RADIUS server certificate using its Common Name. If there is only one RADIUS server in your setup, you can quickly find this name from the certificate. If there are more than one RADIUS servers, or if the RADIUS server Common Name has more than two subdomains, we advise to use a wildcard name. For example: If the RADIUS server certificate's Common Name = radius.domain.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fradius.domain.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564724064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m9aTs7XSiBZbJlyhKZMMU9LIH6dJ9KWYOduKo%2FGwia0%3D&reserved=0> Connect to these server names should be radius.domain.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fradius.domain.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564734063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=L5m%2FH39xFFCu5h5GnTX7DI33wFUFjuNXY8MfowxDw08%3D&reserved=0> If the RADIUS server certificate's Common Name = radius.lab.department.domain.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fradius.lab.department.domain.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564734063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IYie8jwK1PszJYP1kJKwTY0Tto8OMxKNk3%2BCx0INMGw%3D&reserved=0> Connect to these server names should be *.department.domain.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdepartment.domain.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564744056%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VZA8Uq0lzZAaXZZriQX7DjxXIQt%2BoAbFdirgylTwnfs%3D&reserved=0> or *.domain.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdomain.com%2F&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564754045%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3BH6ZBPWn1VprH91srRVu981yDq4X4vVQTf4jkAv91M%3D&reserved=0> Thanks Trent Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S) Network Analyst University of Louisville Phone (502) 852-1513 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564754045%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y6mF2A82XpSCI4vvgMQr%2BI1XoQ0qtH7GmnFtSQzC4sk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564764039%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qeU6zHn290Q4Mkx93%2Ff2AzFsc5QJlNNBIDZ1o7Akj%2F8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564764039%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qeU6zHn290Q4Mkx93%2Ff2AzFsc5QJlNNBIDZ1o7Akj%2F8%3D&reserved=0> Visit https://cadinc.com/blog<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcadinc.com%2Fblog&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564774030%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sUh8ObbOvH56XvuH2GgyA89FSnRac62kzXxAw8F6aBU%3D&reserved=0> for tech articles and news. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564784025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BtkkHf60ljJ6N81aEmF4LidYVO54nw%2Fx0xwvggCX8KE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564784025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BtkkHf60ljJ6N81aEmF4LidYVO54nw%2Fx0xwvggCX8KE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564794018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gQjAghxdhkCyIv%2FD1IEkZY8vRtbpK2BXR1IBXtykuMg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564794018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gQjAghxdhkCyIv%2FD1IEkZY8vRtbpK2BXR1IBXtykuMg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C24144332ed9d4ff77fef08d8c70663be%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637478177564804011%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FvoTpFCpQSRzco8oGK74q5PfpkKQ6VzFlMNBUmSCaUo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community