date:20210116

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Tim Cappalli

The RADIUS component is not the issue here and even if it was, there are many 
free solutions on the market.

(not that I’ve ever recommend NPS, but you can absolutely run NPS in a VM in 
Azure… or AWS or GCP)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Date: Saturday, January 16, 2021 at 21:31
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification
I’m arguing on behalf of the many poorly-resourced environments where NPS has a 
marginal cost of zero, and that enabling TOFU would be a simple thing to 
improve their security. Most of these places don’t have the budget or expertise 
for something like CPPM (I have it and even I’m intimidated by it). Microsoft 
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported 
in Azure). It’s the responsibility of vendors to provide accessible tools for 
security.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Sunday, 17 January 2021 7:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

You do have to maintain a pki or have someone else do it but CRLs are hardly 
necessary if you do identity checking as part of your radius service. If you 
want to do posture checking you will need to use some sort of agent (as far as 
I know) so that could certainly be part of your on boarding solution.

The fact that the majority of environments fail to deploy 802.1x correctly 
doesn’t take away the responsibility of institutions to fix it and provide a 
secure solution to users even if it means educating the administration and 
users on what must be done now to access the network. And as we almost all 
know, the problem is not a technical one now, but one of communication.

Max



On Jan 16, 2021, at 10:56 AM, James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft ha

RE: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread James Andrewartha

I’m arguing on behalf of the many poorly-resourced environments where NPS has a 
marginal cost of zero, and that enabling TOFU would be a simple thing to 
improve their security. Most of these places don’t have the budget or expertise 
for something like CPPM (I have it and even I’m intimidated by it). Microsoft 
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported 
in Azure). It’s the responsibility of vendors to provide accessible tools for 
security.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Sunday, 17 January 2021 7:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

You do have to maintain a pki or have someone else do it but CRLs are hardly 
necessary if you do identity checking as part of your radius service. If you 
want to do posture checking you will need to use some sort of agent (as far as 
I know) so that could certainly be part of your on boarding solution.

The fact that the majority of environments fail to deploy 802.1x correctly 
doesn’t take away the responsibility of institutions to fix it and provide a 
secure solution to users even if it means educating the administration and 
users on what must be done now to access the network. And as we almost all 
know, the problem is not a technical one now, but one of communication.

Max


On Jan 16, 2021, at 10:56 AM, James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [EXTERNAL] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2021-01-16 Thread Turpin, Max

I am running I got his MTU issue right now. But we also do not have CPSec 
enabled and are going to be enabling it. The MTU should be 1200 with CPSec 
enabled. Are you saying this bug is fixed in 8.5.0.11?

Many thanks.

On Jan 15, 2021, at 6:16 PM, Johnson, Christopher  wrote:


Thank to everyone that responded! Myself and my coworkers were greatly 
impressed and surprised about the amount of feedback and information we got 
from each experience!

We performed an upgrade to 8.5.0.11 successfully without any issues except for 
one AP-225 (think the AP is just bad) – which is really good compared to past 
situations.

  *   We are still seeing an “MTU issue” where the AP seems to be ignoring it’s 
SAP MTU of 1200, and defaulting to 1500 upon reboot. Which affects Campus APs 
behind Hardware Cisco ASA. 8.5.0.11 release notes had a fix related to this (or 
so thought) – working with TAC on that.
  *   I’ll start another post related to Campus APs and VPNs – want to pick 
some brains on that isn’t related to typical “MTU issues” - 😊

Sides that things are going pretty good. Still working on an issue with 
AirGroup Servers not being purged when they age out of the user-table.

Again thank you for everyone’s experiences! Greatly appreciated!
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter
From: Johnson, Christopher
Sent: Thursday, December 17, 2020 2:50 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

We’re considering doing some pre-emptive maintenance before winter-break ends 
to resolve a couple issues, and was curious if anyone is running ArubaOS 
8.5.0.11 or 8.6.0.6 (200/220 and 270 Series APs) and what their experiences 
have been?
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Turpin, Max

You do have to maintain a pki or have someone else do it but CRLs are hardly 
necessary if you do identity checking as part of your radius service. If you 
want to do posture checking you will need to use some sort of agent (as far as 
I know) so that could certainly be part of your on boarding solution.

The fact that the majority of environments fail to deploy 802.1x correctly 
doesn’t take away the responsibility of institutions to fix it and provide a 
secure solution to users even if it means educating the administration and 
users on what must be done now to access the network. And as we almost all 
know, the problem is not a technical one now, but one of communication.

Max

On Jan 16, 2021, at 10:56 AM, James Andrewartha  
wrote:


Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> “many colleges provided instructions as such.”



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroa

Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Tim Cappalli

And I should add, you do not have to use client certificates to address the 
core challenge of properly configuring supplicants in a wizard-like fashion 
while protecting user credentials in federated environments.

A per-device username and password can be used in combination with 
profile-based provisioning (available in some way, shape or form on each 
platform).

This is actually what many non-cellular SPs use for Passpoint.

Example:

Username: 1264CCBB-0D2E-44C5-B045-6D191EA65A4D
Password: y7A96MhKjf05R5nueRtk1QZ9TEqhlhY6zL
Anonymous Identity: anonym...@mydomain.edu

(This is actually how I deploy my personal network using some custom logic in 
CPPM 😊 )

While it’s not as strong as a certificate and is not a device bound credential, 
it is better than using a user’s credentials (even when the supplicant is 
managed) and can be embedded into a profile in a web-based enrollment flow.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Saturday, January 16, 2021 at 11:12
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

  *   Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.


There are many aaS offerings and even the on-premises solutions do most of the 
CA management automagically. It is rare that you need to fully manage a PKI for 
unmanaged device access.


  *   SSH uses TOFU and is more comparable to RADIUS in that you only connect 
to a limited number of hosts with rarely changing fingerprints.


Sure, but the fingerprint for an SSH server can be explicitly compared since it 
is equivalent to a self-signed trust model.

There are also ways of binding an SSH server fingerprint to a domain name that 
is queried and evaluated on connection. That doesn’t exist with EAP.


  *   I find it curious that this change is only on Pixel devices, is that 
because no others have Android 11 or because only Google is implementing it?

The change was made in the core Android code. Pixels usually roll out new code 
first. As other OEMs integrate the code, it will show up.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Date: Saturday, January 16, 2021 at 10:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Tim Cappalli

  *   Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.


There are many aaS offerings and even the on-premises solutions do most of the 
CA management automagically. It is rare that you need to fully manage a PKI for 
unmanaged device access.


  *   SSH uses TOFU and is more comparable to RADIUS in that you only connect 
to a limited number of hosts with rarely changing fingerprints.


Sure, but the fingerprint for an SSH server can be explicitly compared since it 
is equivalent to a self-signed trust model.

There are also ways of binding an SSH server fingerprint to a domain name that 
is queried and evaluated on connection. That doesn’t exist with EAP.


  *   I find it curious that this change is only on Pixel devices, is that 
because no others have Android 11 or because only Google is implementing it?

The change was made in the core Android code. Pixels usually roll out new code 
first. As other OEMs integrate the code, it will show up.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Date: Saturday, January 16, 2021 at 10:56
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Certificate enrolment sucks for BYOD though, there’s no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> “many colleges provided instructions as such.”



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To

RE: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread James Andrewartha

Certificate enrolment sucks for BYOD though, there's no ongoing posture 
checking, and you have to maintain a CA and CRL.

SSH uses TOFU and is more comparable to RADIUS in that you only connect to a 
limited number of hosts with rarely changing fingerprints.

I find it curious that this change is only on Pixel devices, is that because no 
others have Android 11 or because only Google is implementing it?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.
Imagine of browsers operated on the TOFU model?
*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:31:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> "many colleges provided instructions as such."



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM

Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Tim Cappalli

EAP-TLS is modern, strong authentication. And enrollment can even use 
passwordless.

Imagine of browsers operated on the TOFU model?

*tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Saturday, January 16, 2021 10:31:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> “many colleges provided instructions as such.”



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

—Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

RE: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread James Andrewartha

I disagree, but OWE or SAE with a captive portal then? At least I can use 
modern authentication methods like hardware keys and TOTP with a browser.

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 11:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Because trust on first use is almost as bad as not trusting at all.
Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.
Tom

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Saturday, January 16, 2021 10:11:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> "many colleges provided instructions as such."



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additio

Re: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread Tim Cappalli

Because trust on first use is almost as bad as not trusting at all.

Properly deploy 802.1X or don't use it. Sorry to be harsh but this same 
conversation multiple times per year, every year is tiring.

Tom

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Saturday, January 16, 2021 10:11:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification


Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?



--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification



> “many colleges provided instructions as such.”



This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.



These instructions are worse than instructing users to do to this:



chrome.exe --ignore-certificate-errors



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

—Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information

RE: [WIRELESS-LAN] Android 11 and Cert Verification

2021-01-16 Thread James Andrewartha

Why couldn't Google add trust-on-first-use to Android like Apple has with iOS 
and macOS, and Microsoft has in Windows?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Saturday, 16 January 2021 6:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

> "many colleges provided instructions as such."

This is one of the many reasons the change was made. Not just colleges, 
enterprises as well.

These instructions are worse than instructing users to do to this:

chrome.exe --ignore-certificate-errors

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Angelo Santabarbara 
mailto:asantabarb...@siena.edu>>
Date: Friday, January 15, 2021 at 17:25
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Correct Tim. I failed to clarify that you can no longer setup eduroam profiles 
manually without a certificate.  Previously this worked and many colleges 
provided instructions as such. With the most recent update this is no longer 
possible so we had to resort to using the eduroam CAT tool to provide a simple 
method of joining eduroam.

-Angelo D. Santabarbara, MBA
Director Networks & Systems | Siena College
O 518-782-6996
E asantabarb...@siena.edu
W siena.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

RE: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [EXTERNAL] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

Re: [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [WIRELESS-LAN] Android 11 and Cert Verification

RE: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [WIRELESS-LAN] Android 11 and Cert Verification

RE: [WIRELESS-LAN] Android 11 and Cert Verification

Re: [WIRELESS-LAN] Android 11 and Cert Verification

RE: [WIRELESS-LAN] Android 11 and Cert Verification

11 matches

Site Navigation

Mail list logo

Footer information