I know I’m singing to the choir when responding to you two, but it’s worth reminding readers that the main risk here isn’t to the network. It’s to the user’s account credentials. I’m pretty sure we think that’s important in higher ed too.
From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Wednesday, February 3, 2021 4:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 For higher ed, you're absolutely right. For all other enterprise use cases, credential security is super important. Unfortunately a network supplicant is not aware of the deployment type and can't adapt. tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jennifer Minella <j...@cadinc.com> Sent: Wednesday, February 3, 2021 16:26 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 There’s a fine, grey line between optimal security and usability 😊 ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522051838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aCgGCZzYFw1BYdeyPqyDu%2BXrihZJ2omIEFnTtDTMCKo%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Tim Cappalli <tim.cappa...@microsoft.com> Sent: Monday, February 1, 2021 5:53 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 Jennifer, this has been extensively discussed on this list for the past few months which I why I said that nothing has changed since those conversations. This current thread makes it seem like more changes are coming in Android on February 15th which is NOT the case. There have been no changes since the December update and I'm not aware of any other changes in the Android 11 code train. RE: Apple already does this: Android is the only operating system that requires a properly configured supplicant. Apple's TOFU model does not result in a proper configuration. RE: wildcard, from the bottom of the message: For example: If the RADIUS server certificate’s Common Name = radius.domain.com Connect to these server names should be radius.domain.com If the RADIUS server certificate’s Common Name = radius.lab.department.domain.com Connect to these server names should be *.department.domain.com or *.domain.com They're recommending wildcard subject name matching if the environment uses a non-standard configuration. This is poor guidance and will result in credential compromise via MitM. tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jennifer Minella <j...@cadinc.com<mailto:j...@cadinc.com>> Sent: Monday, February 1, 2021 17:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren’t configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn’t done then the endpoints may not have the server certificate installed and trusted, and if that’s the case they will just cease to work after the device upgrade. Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links… • A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522061841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ywiMMgDfiu6CCHP9ovxZ4az93iYQsDd6sTv20uDv344%3D&reserved=0> The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! • Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522071831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u3jfdFR2D9tlFanrGhMlLUoFVbjJVgGVI32M5GrvdHs%3D&reserved=0> • ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522071831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tvNAnK1vccGoEH6OWICOPORrK61E1gsn2EPV8fXKHEE%3D&reserved=0> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Hurt,Trenton W. <trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 4:54 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 Ok thanks as always for clarification as ive been seeing android 11 on campus and they work with our current eap tls onboard workflow. I wasn’t sure if something else was coming on feb 15th that would cause some issue with this setup From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Monday, February 1, 2021 4:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. This is a bit misleading IMO. There are no further changes in Android 11 after the December update. Seems like this is specific to Secure W2's product. As a general best practice, you should be using a single EAP server certificate, signed using a PKI in your control, across your all your RADIUS servers. It is very poor practice to use a wildcard for EAP subject name matching. I'm very disappointed to see vendors making that recommendation. tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. <trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 16:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server Validation in a Network Profile? This configuration item is for clients to validate a RADIUS server certificate chain during an EAP authentication. Clients would forward its requests only when the received server certificate is signed by the CA that is configured on the SecureW2 Network Profile. It may be required to upload only the Root CA of the RADIUS server certificate, however, in some cases, the full chain may need to be provided. What is the Connect to these server names field? This field is used to specify the name of your RADIUS server certificate using its Common Name. If there is only one RADIUS server in your setup, you can quickly find this name from the certificate. If there are more than one RADIUS servers, or if the RADIUS server Common Name has more than two subdomains, we advise to use a wildcard name. For example: If the RADIUS server certificate’s Common Name = radius.domain.com Connect to these server names should be radius.domain.com If the RADIUS server certificate’s Common Name = radius.lab.department.domain.com Connect to these server names should be *.department.domain.com or *.domain.com Thanks Trent Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S) Network Analyst University of Louisville Phone (502) 852-1513 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522081824%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qIl%2FaDb3wHt618cINrhjgVCzloTOWynJpF3Gy6rJ%2Fco%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522081824%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qIl%2FaDb3wHt618cINrhjgVCzloTOWynJpF3Gy6rJ%2Fco%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522091820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xF5hmlraYYCskRGhsFcMcQ1lvdiIAPI3ecsOw0ymu2w%3D&reserved=0> Visit https://cadinc.com/blog<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcadinc.com%2Fblog&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522091820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4BagQYIdNlM2ypxG0AzVPtd6fdHgpru63qxUy0UFfVQ%3D&reserved=0> for tech articles and news. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522101813%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QdKqzJiLgbqbNv8xkC01Ngmdq9bhLF2igPXJfOkhck8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522111809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rzQB8vd0OiHOFcN%2BMhMNfwlVNc0nwxCGkmkkonZbaCE%3D&reserved=0> Visit https://cadinc.com/blog for tech articles and news. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522111809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rzQB8vd0OiHOFcN%2BMhMNfwlVNc0nwxCGkmkkonZbaCE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522121800%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=59f46emZJviiwj1GBULxigJUJEdzqOwY%2FYuDZKrvoAI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community