I know I’m singing to the choir when responding to you two, but it’s worth 
reminding readers that the main risk here isn’t to the network.  It’s to the 
user’s account credentials.  I’m pretty sure we think that’s important in 
higher ed too.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli
Sent: Wednesday, February 3, 2021 4:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

For higher ed, you're absolutely right. For all other enterprise use cases, 
credential security is super important.

Unfortunately a network supplicant is not aware of the deployment type and 
can't adapt.

tim
________________________________
From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jennifer Minella 
<j...@cadinc.com>
Sent: Wednesday, February 3, 2021 16:26
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


There’s a fine, grey line between optimal security and usability 😊



___________

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522051838%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aCgGCZzYFw1BYdeyPqyDu%2BXrihZJ2omIEFnTtDTMCKo%3D&reserved=0>

j...@cadinc.com<mailto:j...@cadinc.com>

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]



From: Tim Cappalli <tim.cappa...@microsoft.com>
Sent: Monday, February 1, 2021 5:53 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021



Jennifer, this has been extensively discussed on this list for the past few 
months which I why I said that nothing has changed since those conversations. 
This current thread makes it seem like more changes are coming in Android on 
February 15th which is NOT the case. There have been no changes since the 
December update and I'm not aware of any other changes in the Android 11 code 
train.



RE: Apple already does this: Android is the only operating system that requires 
a properly configured supplicant. Apple's TOFU model does not result in a 
proper configuration.



RE: wildcard, from the bottom of the message:



For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com



They're recommending wildcard subject name matching if the environment uses a 
non-standard configuration. This is poor guidance and will result in credential 
compromise via MitM.



tim

________________________________

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella <j...@cadinc.com<mailto:j...@cadinc.com>>
Sent: Monday, February 1, 2021 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



I may disagree with some of the other feedback here…  I think this is a big 
deal.



It sounds like Google will be enforcing proper server validation for 
802.1X-secured networks, based on what Trent sent originally. I believe Apple 
already has been enforcing this for a bit.



If my guess is correct (I’ll try to find a link) then what it means is – after 
this update, you can’t tell the endpoint to ignore or bypass the server 
certificate for 802.1X (any EAP method).



The impact of this is…

  *   If you’re organization has any endpoints that have been configured to use 
a secured network but are ignoring the server’s certificate – then that will 
STOP working suddenly at the update.
  *   This setting (ignore/don’t validate server cert) is not ideal but it’s 
prevalent especially for things like BYOD or HED device onboarding, testing, 
etc. It should be fixed but this is one of those things that could have a huge 
widespread impact if the endpoints/networks aren’t configured properly now.
  *   Typically proper settings for secured 1X networks are pushed through GPO, 
MDM, or an onboarding process through vendor tools (can be a server-based tool 
or a client-based config assist tool). If that wasn’t done then the endpoints 
may not have the server certificate installed and trusted, and if that’s the 
case they will just cease to work after the device upgrade.



Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN 
for the COMMON NAME. The article references the connect to domains as a 
different field which is not the certificate CN.. ?



Yeah, here are some links…

•        A reddit article I hope is accurate b/c I only skimmed it

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522061841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ywiMMgDfiu6CCHP9ovxZ4az93iYQsDd6sTv20uDv344%3D&reserved=0>

The security patch for Android 11 (QPR1) will remove the "Do not validate" 
option under "CA certificate" for EAP server certificate validation to prevent 
misconfiguration resulting in credential leaks. This is very good news from a 
security standpoint!

•        Secure W2 article with the setting in reference to WPA3 (which removes 
several less-secure options for confgs)

https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522071831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u3jfdFR2D9tlFanrGhMlLUoFVbjJVgGVI32M5GrvdHs%3D&reserved=0>

•





___________

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cadinc.com%2F&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522071831%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tvNAnK1vccGoEH6OWICOPORrK61E1gsn2EPV8fXKHEE%3D&reserved=0>

j...@cadinc.com<mailto:j...@cadinc.com>

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]



From: Hurt,Trenton W. 
<trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 4:54 PM
Subject: Re: android 11 upcoming changes Feb 15th 2021



Ok thanks as always for clarification as ive been seeing android 11 on campus 
and they work with our current eap tls onboard workflow.  I wasn’t sure if 
something else was coming on feb 15th that would cause some issue with this 
setup



From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, February 1, 2021 4:51 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

This is a bit misleading IMO. There are no further changes in Android 11 after 
the December update.



Seems like this is specific to Secure W2's product.



As a general best practice, you should be using a single EAP server 
certificate, signed using a PKI in your control, across your all your RADIUS 
servers.



It is very poor practice to use a wildcard for EAP subject name matching. I'm 
very disappointed to see vendors making that recommendation.



tim

________________________________

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
<trent.h...@louisville.edu<mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 16:46
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021



FYI



I just received the following from securew2 about some additional security 
changes coming to android 11.







This action will need to take place before the upcoming Android application 
update that is planned for February 15th, 2021.



As you may already be aware, Google mandates server validation to be properly 
configured for WiFi from Android version 11. This means that any 802.1X WiFi 
configuration without the following two settings will fail to connect.



1.      Server Validation

2.      Connect to these server names



For more information about these configurations, please read below.



What is Server Validation in a Network Profile?

This configuration item is for clients to validate a RADIUS server certificate 
chain during an EAP authentication. Clients would forward its requests only 
when the received server certificate is signed by the CA that is configured on 
the SecureW2 Network Profile.  It may be required to upload only the Root CA of 
the RADIUS server certificate, however, in some cases, the full chain may need 
to be provided.



What is the Connect to these server names field?

This field is used to specify the name of your RADIUS server certificate using 
its Common Name. If there is only one RADIUS server in your setup, you can 
quickly find this name from the certificate. If there are more than one RADIUS 
servers, or if the RADIUS server Common Name has more than two subdomains, we 
advise to use a wildcard name.



For example:

If the RADIUS server certificate’s Common Name = radius.domain.com Connect to 
these server names should be radius.domain.com



If the RADIUS server certificate’s Common Name = 
radius.lab.department.domain.com Connect to these server names should be 
*.department.domain.com or *.domain.com









Thanks

Trent



Trenton Hurt, CWNE #172,ACMP,ACCP,CCNP(W),CCNA(W),CCNA(V),CCNA(R/S)

Network Analyst

University of Louisville

Phone (502) 852-1513



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522081824%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qIl%2FaDb3wHt618cINrhjgVCzloTOWynJpF3Gy6rJ%2Fco%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522081824%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qIl%2FaDb3wHt618cINrhjgVCzloTOWynJpF3Gy6rJ%2Fco%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522091820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xF5hmlraYYCskRGhsFcMcQ1lvdiIAPI3ecsOw0ymu2w%3D&reserved=0>

Visit 
https://cadinc.com/blog<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcadinc.com%2Fblog&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522091820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4BagQYIdNlM2ypxG0AzVPtd6fdHgpru63qxUy0UFfVQ%3D&reserved=0>
 for tech articles and news.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522101813%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QdKqzJiLgbqbNv8xkC01Ngmdq9bhLF2igPXJfOkhck8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522111809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rzQB8vd0OiHOFcN%2BMhMNfwlVNc0nwxCGkmkkonZbaCE%3D&reserved=0>

Visit https://cadinc.com/blog for tech articles and news.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522111809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rzQB8vd0OiHOFcN%2BMhMNfwlVNc0nwxCGkmkkonZbaCE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C7d13e3bf58a64becdd0b08d8c88b6ceb%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637479849522121800%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=59f46emZJviiwj1GBULxigJUJEdzqOwY%2FYuDZKrvoAI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to