Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Fishel Erps
Tim,

Do you have time for a short phone call?



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 15:13, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:


Fishel - as an aside, if the configuration guidance to users has been to
ignore the EAP server identity or configure their devices to not validate
it and the credential used for Wi-Fi is their primary password, I highly
recommend you issue an organization-wide password reset as all of those
credentials may have been compromised.


--
*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Felix Windt <
felix.wi...@dartmouth.edu>
*Sent:* Tuesday, September 22, 2020 15:10
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise


https://www.eduroam.org/configuration-assistant-tool-cat/



thx,

felix



*From: *The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Patrick Mauretti <
pmaure...@massasoit.mass.edu>
*Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Date: *Tuesday, September 22, 2020 at 3:02 PM
*To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Subject: *Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?



-Patrick





*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Floyd, Brad
*Sent:* Tuesday, September 22, 2020 3:00 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



*CAUTION:* This email originated from outside of Massasoit. Do not click
links or open attachments unless you recognize the sender and know the
content is safe.



Fishel,

We have run into this on some versions of Android OS and the solution that
works for us is to import our CA’s root certificate into the device. Once
we import the root certificate and select it during the profile setup, the
connection is established.

Thanks,

Brad



*From:* The EDUCAUSE Wireless Issues Community Group Listserv [
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
] *On Behalf Of *Fishel Erps
*Sent:* Tuesday, September 22, 2020 12:10 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Tim,



We use:



EAP Method = PEAP

Phase 2 = MSCHAPv2

CA Certificate = Unspecified

Identity = [username]

Password = [password]



The credentials trigger the return of a filter-ID from the RADIUS server to
the controller, which the controller then uses to put the user into a VLAN.



Some android devices that are running version 11 no-longer have an option
of “unspecified” under CA Certificate, and none of the other choices seem
to work.







__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-241 <212-592-2416>6

E:  fe...@sva.edu
___


Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___





On Sep 22, 2020, at 12:04, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

Can you please provide some basic details?

   - What exactly is "broken"?
   - Which EAP method?
   - Which credential type?
   - How is/was the supplicant provisioned?
   - Are only new devices affected or just upgraded devices?

--

*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps <
0030ecf871d2-dmarc-requ...@listserv.educause.edu>
*Sent:* Tuesday, September 22, 2020 12:02
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise



Hi,



v11 seems to have broken credential authentication for RADIUS and
WPA2-Enterprise/802.1x.



Has anyone found a workaround?





__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

C:  347-539-6380

E:  fe...@sva.edu
___


Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___



**
Replies to EDUCAUSE Community Group emails are 

RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Tariq Adnan
Hi Tim,

How about choosing “use system certificate”, provided the CA cert is a valid 
public cert (QuoVadis CA) and in default certificate store of Android?

Thanks,



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Fishel Erps
Sent: Wednesday, 23 September 2020 5:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

Thank you.  This was extremely helpful.


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___




On Sep 22, 2020, at 15:13, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Fishel - as an aside, if the configuration guidance to users has been to ignore 
the EAP server identity or configure their devices to not validate it and the 
credential used for Wi-Fi is their primary password, I highly recommend you 
issue an organization-wide password reset as all of those credentials may have 
been compromised.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Felix Windt 
mailto:felix.wi...@dartmouth.edu>>
Sent: Tuesday, September 22, 2020 15:10
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise


https://www.eduroam.org/configuration-assistant-tool-cat/



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Patrick Mauretti 
mailto:pmaure...@massasoit.mass.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 22, 2020 at 3:02 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?



-Patrick





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.



Fishel,

We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.

Thanks,

Brad



From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Tim,



We use:



EAP Method = PEAP

Phase 2 = MSCHAPv2

CA Certificate = Unspecified

Identity = [username]

Password = [password]



The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.



Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.







__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

E:  fe...@sva.edu
___

Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___





On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?



From: The EDUCAUSE Wireless Issues Community Group Listserv 

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Fishel Erps
Tim,

Thank you.  This was extremely helpful.



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 15:13, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:


Fishel - as an aside, if the configuration guidance to users has been to
ignore the EAP server identity or configure their devices to not validate
it and the credential used for Wi-Fi is their primary password, I highly
recommend you issue an organization-wide password reset as all of those
credentials may have been compromised.


--
*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Felix Windt <
felix.wi...@dartmouth.edu>
*Sent:* Tuesday, September 22, 2020 15:10
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise


https://www.eduroam.org/configuration-assistant-tool-cat/



thx,

felix



*From: *The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Patrick Mauretti <
pmaure...@massasoit.mass.edu>
*Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Date: *Tuesday, September 22, 2020 at 3:02 PM
*To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Subject: *Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?



-Patrick





*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Floyd, Brad
*Sent:* Tuesday, September 22, 2020 3:00 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



*CAUTION:* This email originated from outside of Massasoit. Do not click
links or open attachments unless you recognize the sender and know the
content is safe.



Fishel,

We have run into this on some versions of Android OS and the solution that
works for us is to import our CA’s root certificate into the device. Once
we import the root certificate and select it during the profile setup, the
connection is established.

Thanks,

Brad



*From:* The EDUCAUSE Wireless Issues Community Group Listserv [
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
] *On Behalf Of *Fishel Erps
*Sent:* Tuesday, September 22, 2020 12:10 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Tim,



We use:



EAP Method = PEAP

Phase 2 = MSCHAPv2

CA Certificate = Unspecified

Identity = [username]

Password = [password]



The credentials trigger the return of a filter-ID from the RADIUS server to
the controller, which the controller then uses to put the user into a VLAN.



Some android devices that are running version 11 no-longer have an option
of “unspecified” under CA Certificate, and none of the other choices seem
to work.







__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-241 <212-592-2416>6

E:  fe...@sva.edu
___


Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___





On Sep 22, 2020, at 12:04, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

Can you please provide some basic details?

   - What exactly is "broken"?
   - Which EAP method?
   - Which credential type?
   - How is/was the supplicant provisioned?
   - Are only new devices affected or just upgraded devices?

--

*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps <
0030ecf871d2-dmarc-requ...@listserv.educause.edu>
*Sent:* Tuesday, September 22, 2020 12:02
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise



Hi,



v11 seems to have broken credential authentication for RADIUS and
WPA2-Enterprise/802.1x.



Has anyone found a workaround?





__
__


Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

C:  347-539-6380

E:  fe...@sva.edu
___


Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___



**
Replies to EDUCAUSE Community Group emails are sent to the entire 

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Tim Cappalli
Fishel - as an aside, if the configuration guidance to users has been to ignore 
the EAP server identity or configure their devices to not validate it and the 
credential used for Wi-Fi is their primary password, I highly recommend you 
issue an organization-wide password reset as all of those credentials may have 
been compromised.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Felix Windt 

Sent: Tuesday, September 22, 2020 15:10
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise


https://www.eduroam.org/configuration-assistant-tool-cat/



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Patrick Mauretti 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, September 22, 2020 at 3:02 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?



-Patrick





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.



Fishel,

We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.

Thanks,

Brad



From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Tim,



We use:



EAP Method = PEAP

Phase 2 = MSCHAPv2

CA Certificate = Unspecified

Identity = [username]

Password = [password]



The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.



Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.







__
__



Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

E:  fe...@sva.edu
___

Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___





On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise



Hi,



v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.



Has anyone found a workaround?





__
__



Fishel Erps,

Sr. Network & Infrastructure Engineer

School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416

C:  347-539-6380

E:  fe...@sva.edu
___

Please excuse any typographical

errors as this e-mail has been sent

from my mobile device

___



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Felix Windt
https://www.eduroam.org/configuration-assistant-tool-cat/

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Patrick Mauretti 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, September 22, 2020 at 3:02 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?

-Patrick


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Fishel,
We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.



__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:
Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Patrick Mauretti
Okay I’ll bite.  What’s the CAT tool you mentioned?  Link?

-Patrick


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Floyd, Brad
Sent: Tuesday, September 22, 2020 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

CAUTION: This email originated from outside of Massasoit. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Fishel,
We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?


__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Floyd, Brad
Fishel,
We have run into this on some versions of Android OS and the solution that 
works for us is to import our CA’s root certificate into the device. Once we 
import the root certificate and select it during the profile setup, the 
connection is established.
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps
Sent: Tuesday, September 22, 2020 12:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.



__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___




On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Johnson, Christopher
Side-Note that I wanted to mention about the wlan profiles in Android 10 and 
Android 11. At least in several of the devices I've had, there's a GUI defect 
where if you view a saved WLAN Profile – it’ll appear that the certificate 
settings have reverted back to “System Settings” – which can be a nuisance for 
two reasons. One being no visual distinction for end user that the profile is 
actually enforcing CA restrictions or the perception that the wlan profile 
isn’t configured correctly - https://issuetracker.google.com/issues/157535154
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hunter Fuller
Sent: Tuesday, September 22, 2020 1:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: 
[WIRELESS-LAN] Android 11 and WPA-Enterprise



[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu]



Tim,



We use CAT but we had to develop those instructions because CAT on

Android is very, very difficult for non-technical users. I guess we

will have to revise them.



Unfortunately it does not appear that the OP's institution is a member

of eduroam, so CAT won't help them in any case.



--

Hunter Fuller (they)

Router Jockey

VBH Annex B-5

+1 256 824 5331



Office of Information Technology

The University of Alabama in Huntsville

Network Engineering



On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli

<0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

>

> You can only install a CA from inside the Settings now to prevent users from 
> unintentionally installing a malicious root.

>

> Assuming you don't have a commercial supplicant provisioning platform, why 
> not just use the CAT tool?

>

> tim

> 

> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Hunter Fuller 
> 

> Sent: Tuesday, September 22, 2020 14:15

> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and 
> WPA-Enterprise

>

> Try these instructions. We had one Android 11 user report that they

> work. You will obviously need a copy of your institution's

> certificate.

>

> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0

>

> --

> Hunter Fuller (they)

> Router Jockey

> VBH Annex B-5

> +1 256 824 5331

>

> Office of Information Technology

> The University of Alabama in Huntsville

> Network Engineering

>

> On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps

> <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:

> >

> > Tim,

> >

> > We use:

> >

> > EAP Method = PEAP

> > Phase 2 = MSCHAPv2

> > CA Certificate = Unspecified

> > Identity = [username]

> > Password = [password]

> >

> > The credentials trigger the return of a filter-ID from the RADIUS server to 
> > the controller, which the controller then uses to put the user into a VLAN.

> >

> > Some android devices that are running version 11 no-longer have an option 
> > of “unspecified” under CA Certificate, and none of the other choices seem 
> > to work.

> >

> >

> >

> >

> > __

> > __

> >

> > Fishel Erps,

> > Sr. Network & Infrastructure Engineer

> > School of Visual Arts

> > 136 W 21st St., 8th Floor

> > New York, NY, 10011

> > LL: 212-592-2416

> > E:  fe...@sva.edu

> > ___

> >

> > Please excuse any typographical

> > errors as this e-mail has been sent

> > from my mobile device

> > ___

> >

> >

> > On Sep 22, 2020, at 12:04, Tim Cappalli 
> > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> >

> > 

> > Can you please provide some basic details?

> >

> > What exactly is "broken"?

> > Which EAP method?

> > Which credential type?

> > How is/was the supplicant provisioned?

> > Are only new devices affected or just upgraded devices?

> >

> > 

> > From: The EDUCAUSE Wireless Issues Community Group Listserv 
> >  on behalf of Fishel Erps 
> > <0030ecf871d2-dmarc-requ...@listserv.educause.edu>

> > Sent: Tuesday, September 22, 2020 12:02

> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

> > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

> >

> > Hi,

> >

> > v11 seems to have broken credential 

Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Hunter Fuller
Tim,

We use CAT but we had to develop those instructions because CAT on
Android is very, very difficult for non-technical users. I guess we
will have to revise them.

Unfortunately it does not appear that the OP's institution is a member
of eduroam, so CAT won't help them in any case.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli
<0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> You can only install a CA from inside the Settings now to prevent users from 
> unintentionally installing a malicious root.
>
> Assuming you don't have a commercial supplicant provisioning platform, why 
> not just use the CAT tool?
>
> tim
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Hunter Fuller 
> 
> Sent: Tuesday, September 22, 2020 14:15
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and 
> WPA-Enterprise
>
> Try these instructions. We had one Android 11 user report that they
> work. You will obviously need a copy of your institution's
> certificate.
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps
> <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> >
> > Tim,
> >
> > We use:
> >
> > EAP Method = PEAP
> > Phase 2 = MSCHAPv2
> > CA Certificate = Unspecified
> > Identity = [username]
> > Password = [password]
> >
> > The credentials trigger the return of a filter-ID from the RADIUS server to 
> > the controller, which the controller then uses to put the user into a VLAN.
> >
> > Some android devices that are running version 11 no-longer have an option 
> > of “unspecified” under CA Certificate, and none of the other choices seem 
> > to work.
> >
> >
> >
> >
> > __
> > __
> >
> > Fishel Erps,
> > Sr. Network & Infrastructure Engineer
> > School of Visual Arts
> > 136 W 21st St., 8th Floor
> > New York, NY, 10011
> > LL: 212-592-2416
> > E:  fe...@sva.edu
> > ___
> >
> > Please excuse any typographical
> > errors as this e-mail has been sent
> > from my mobile device
> > ___
> >
> >
> > On Sep 22, 2020, at 12:04, Tim Cappalli 
> > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
> >
> > 
> > Can you please provide some basic details?
> >
> > What exactly is "broken"?
> > Which EAP method?
> > Which credential type?
> > How is/was the supplicant provisioned?
> > Are only new devices affected or just upgraded devices?
> >
> > 
> > From: The EDUCAUSE Wireless Issues Community Group Listserv 
> >  on behalf of Fishel Erps 
> > <0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> > Sent: Tuesday, September 22, 2020 12:02
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise
> >
> > Hi,
> >
> > v11 seems to have broken credential authentication for RADIUS and 
> > WPA2-Enterprise/802.1x.
> >
> > Has anyone found a workaround?
> >
> >
> >
> > __
> > __
> >
> > Fishel Erps,
> > Sr. Network & Infrastructure Engineer
> > School of Visual Arts
> > 136 W 21st St., 8th Floor
> > New York, NY, 10011
> > LL: 212-592-2416
> > C:  347-539-6380
> > E:  fe...@sva.edu
> > ___
> >
> > Please excuse any typographical
> > errors as this e-mail has been sent
> > from my mobile device
> > ___
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire community 
> > list. If you want to reply only to the person who sent the message, copy 
> > and paste their email address and forward the email reply. Additional 
> > participation and subscription information can be found at 
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire community 
> > list. If you want to reply only to the person who sent the message, 

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Tim Cappalli
You can only install a CA from inside the Settings now to prevent users from 
unintentionally installing a malicious root.

Assuming you don't have a commercial supplicant provisioning platform, why not 
just use the CAT tool?

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Hunter Fuller 
Sent: Tuesday, September 22, 2020 14:15
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and 
WPA-Enterprise

Try these instructions. We had one Android 11 user report that they
work. You will obviously need a copy of your institution's
certificate.

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
>
> Tim,
>
> We use:
>
> EAP Method = PEAP
> Phase 2 = MSCHAPv2
> CA Certificate = Unspecified
> Identity = [username]
> Password = [password]
>
> The credentials trigger the return of a filter-ID from the RADIUS server to 
> the controller, which the controller then uses to put the user into a VLAN.
>
> Some android devices that are running version 11 no-longer have an option of 
> “unspecified” under CA Certificate, and none of the other choices seem to 
> work.
>
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
>
> On Sep 22, 2020, at 12:04, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
> Can you please provide some basic details?
>
> What exactly is "broken"?
> Which EAP method?
> Which credential type?
> How is/was the supplicant provisioned?
> Are only new devices affected or just upgraded devices?
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Fishel Erps 
> <0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, September 22, 2020 12:02
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
> Hi,
>
> v11 seems to have broken credential authentication for RADIUS and 
> WPA2-Enterprise/802.1x.
>
> Has anyone found a workaround?
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> C:  347-539-6380
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> 

Re: [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Hunter Fuller
Try these instructions. We had one Android 11 user report that they
work. You will obviously need a copy of your institution's
certificate.

https://uah.teamdynamix.com/TDClient/2075/Portal/KB/ArticleDet?ID=84342

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
>
> Tim,
>
> We use:
>
> EAP Method = PEAP
> Phase 2 = MSCHAPv2
> CA Certificate = Unspecified
> Identity = [username]
> Password = [password]
>
> The credentials trigger the return of a filter-ID from the RADIUS server to 
> the controller, which the controller then uses to put the user into a VLAN.
>
> Some android devices that are running version 11 no-longer have an option of 
> “unspecified” under CA Certificate, and none of the other choices seem to 
> work.
>
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
>
> On Sep 22, 2020, at 12:04, Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> 
> Can you please provide some basic details?
>
> What exactly is "broken"?
> Which EAP method?
> Which credential type?
> How is/was the supplicant provisioned?
> Are only new devices affected or just upgraded devices?
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Fishel Erps 
> <0030ecf871d2-dmarc-requ...@listserv.educause.edu>
> Sent: Tuesday, September 22, 2020 12:02
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise
>
> Hi,
>
> v11 seems to have broken credential authentication for RADIUS and 
> WPA2-Enterprise/802.1x.
>
> Has anyone found a workaround?
>
>
>
> __
> __
>
> Fishel Erps,
> Sr. Network & Infrastructure Engineer
> School of Visual Arts
> 136 W 21st St., 8th Floor
> New York, NY, 10011
> LL: 212-592-2416
> C:  347-539-6380
> E:  fe...@sva.edu
> ___
>
> Please excuse any typographical
> errors as this e-mail has been sent
> from my mobile device
> ___
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Tim Cappalli
Not validating the EAP server identity is not really a valid configuration. You 
need to properly configure the supplicant with a trust anchor and subject name.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 1:10:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to the 
controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option of 
“unspecified” under CA Certificate, and none of the other choices seem to work.




__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 12:04, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:


Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Fishel Erps
Tim,

We use:

EAP Method = PEAP
Phase 2 = MSCHAPv2
CA Certificate = Unspecified
Identity = [username]
Password = [password]

The credentials trigger the return of a filter-ID from the RADIUS server to
the controller, which the controller then uses to put the user into a VLAN.

Some android devices that are running version 11 no-longer have an option
of “unspecified” under CA Certificate, and none of the other choices seem
to work.




__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-241 <212-592-2416>6
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Sep 22, 2020, at 12:04, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:


Can you please provide some basic details?

   - What exactly is "broken"?
   - Which EAP method?
   - Which credential type?
   - How is/was the supplicant provisioned?
   - Are only new devices affected or just upgraded devices?

--
*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps <
0030ecf871d2-dmarc-requ...@listserv.educause.edu>
*Sent:* Tuesday, September 22, 2020 12:02
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and
WPA2-Enterprise/802.1x.

Has anyone found a workaround?



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___

**
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise

2020-09-22 Thread Tim Cappalli
Can you please provide some basic details?

  *   What exactly is "broken"?
  *   Which EAP method?
  *   Which credential type?
  *   How is/was the supplicant provisioned?
  *   Are only new devices affected or just upgraded devices?


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, September 22, 2020 12:02
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise

Hi,

v11 seems to have broken credential authentication for RADIUS and 
WPA2-Enterprise/802.1x.

Has anyone found a workaround?



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Android 11 and WPA-Enterprise

2020-09-22 Thread Fishel Erps
Hi,

v11 seems to have broken credential authentication for RADIUS and
WPA2-Enterprise/802.1x.

Has anyone found a workaround?



__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
C:  347-539-6380
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

2020-09-22 Thread Cody Ensanian
Maybe I'm missing something as well under the hood. However the behavior I 
describe has been our observation in our testing and troubleshooting. Turning 
off "private address" for devices on our network seems to mitigate the issue 
for us, and I have not seen the blacklist issue recur after the feature is 
disabled.

As for the comment about the end users privacy - the users are welcome to use 
the feature for other networks. Its either we (my campus) track and attribute 
their real mac, or their fake one. Well we've been seeing their real mac 
address already. And the argument about privacy/tracking someone doesn't apply 
in my opinion since I'm not tracking their mac addresses whereabouts off 
campus. (where if they generate a random mac for those networks, wouldn't 
matter anyway)

We also collect statistics on our networks (user counts, high use rooms, high 
use buildings, indoor vs outdoor, etc). If every new apple device started 
identifying itself to our controllers as a "new device" now, our stats and 
reporting this year/semester would become highly skewed (without having to do a 
lot of extra work to "merge" what we believe were the same devices).

We also did not want to simply disable ARP-spoof detection on our controllers.

For the above reasons, we opted to have users disable the feature. At least for 
now. Perhaps we'll change our tactic once more research/testing is done and 
Aruba & Apple can report more specifically on what's going on under the hood.

Happy first day of fall,

Cody
University of Colorado Colorado Springs



-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jonathan Waldrep
Sent: Tuesday, September 22, 2020 7:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba 
Controllers

On 2020-09-21 15:59, Cody Ensain wrote:
> Which makes sense to me: pre-upgrade its the devices real mac 
> address/IP which is known by the controller... post-upgrade the 
> "private address" toggle is turned on by default, so IOS generates a 
> random mac address for any wireless network profile on the device.
> Now, the phone tries sending traffic with new-mac/IP combo and of 
> course the controller now thinks its ARP spoofing.

 That doesn't make sense to me. The MAC is generated before the device 
associates. Once it has associated/auth'd, it will do DHCP and get a new 
address. From the controller's perspective, it just looks like a totally new 
device, not something spoofing.

 I could be missing something, though.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

2020-09-22 Thread Jonathan Waldrep
On 2020-09-21 15:59, Cody Ensain wrote:
> Which makes sense to me: pre-upgrade its the devices real mac
> address/IP which is known by the controller... post-upgrade the
> "private address" toggle is turned on by default, so IOS generates a
> random mac address for any wireless network profile on the device.
> Now, the phone tries sending traffic with new-mac/IP combo and of
> course the controller now thinks its ARP spoofing.

 That doesn't make sense to me. The MAC is generated before the device
associates. Once it has associated/auth'd, it will do DHCP and get a new
address. From the controller's perspective, it just looks like a totally
new device, not something spoofing.

 I could be missing something, though.

-- 
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


signature.asc
Description: PGP signature