RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Sweetser, Frank E.]

We have a multi-purpose unencrypted SSID available across campus.  When an 
unregistered device connects, it's dropped into a highly restricted firewall 
role on the Aruba controller and redirected to a splash page where they can 
choose the guest option (either self-serve pass creation, or log in with a 
pre-existing pass) or go to our SecureW2 onboarding URL.

Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Chris Ressel
Sent: Tuesday, October 13, 2020 6:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and Cert 
Verification

I am curious, for those who are onboarding, how are clients provided restricted 
connectivity to download the onboarding installer/agent (secureW2, CAT, etc)? 
Do you have a provisioning SSID? Do you ask users to join your guest network? 
From a user experience perspective, I think it is unreasonable to assume that 
users will have some sort of fall back connectivity that will allow them to 
visit a download source so I am curious what has been successful for others. 

Cheers,
Chris 

On 10/13/20, 11:37 AM, "The EDUCAUSE Wireless Issues Community Group Listserv 
on behalf of Hunter Fuller"  wrote:

On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> So the issue with advance certificate onboarding is that it requires a 
process in advance that most students would have issues with.

I just want to make sure you understand that the alternative is the
ability to impersonate the user on the network with little effort.
Did you select "Do not validate" on your Android device? Then as long
as I am within a few feet of you, or have line of sight, I can get
your AD password. That's it!
How? I can just broadcast an SSID with the same name as your
institution's network, and use a directional antenna to ensure I am
the loudest AP so you will try to associate to me. My certificate is
totally bunk, but your device doesn't care, so it will just blast your
AD password directly to my laptop.
We don't even have to be on your campus for me to do this. And, I
don't even have to know your username, you will provide me with that
too, without your knowledge or intervention.

> It doesn’t work well with BYOD clients that have dynamic VLAN placement 
based on returned filter-IDs from a RADIUS/NPS server.

This hasn't been our experience. We place users based on their
username. However, we are using PEAP.

> Most vendors walk you through a quick and dirty setup of NPS for 802.1x 
auth and VLAN placement, and therefore, they are interested in simple auth at 
the expense of security.  However, with Android 11 (and possibly a bit further 
back), that bypass of “don’t validate”, etc, isn’t an option.

I am guessing this is deliberate.

I get the temptation to not validate, I do. Android has the worst
onboarding options of any mainstream OS right now, and it's
embarrassing they haven't fixed it. But this is a step in the right
direction, painful as it might be.


--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495271694sdata=te%2B%2BZjXsbS8faWX1xv93LuXWGK2aGeXiBpj2wHjPneg%3Dreserved=0


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Cfs%40WPI.EDU%7C7f69e4c7e1064cc703f108d86fca6d77%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637382262495281694sdata=SZCjDXKRkD%2BKdq7b5Qa5eAYhSO8zsKa%2FiAbOCTkBTKY%3Dreserved=0

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information 

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Chris Ressel]

I am curious, for those who are onboarding, how are clients provided restricted 
connectivity to download the onboarding installer/agent (secureW2, CAT, etc)? 
Do you have a provisioning SSID? Do you ask users to join your guest network? 
From a user experience perspective, I think it is unreasonable to assume that 
users will have some sort of fall back connectivity that will allow them to 
visit a download source so I am curious what has been successful for others. 

Cheers,
Chris 

On 10/13/20, 11:37 AM, "The EDUCAUSE Wireless Issues Community Group Listserv 
on behalf of Hunter Fuller"  wrote:

On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> So the issue with advance certificate onboarding is that it requires a 
process in advance that most students would have issues with.

I just want to make sure you understand that the alternative is the
ability to impersonate the user on the network with little effort.
Did you select "Do not validate" on your Android device? Then as long
as I am within a few feet of you, or have line of sight, I can get
your AD password. That's it!
How? I can just broadcast an SSID with the same name as your
institution's network, and use a directional antenna to ensure I am
the loudest AP so you will try to associate to me. My certificate is
totally bunk, but your device doesn't care, so it will just blast your
AD password directly to my laptop.
We don't even have to be on your campus for me to do this. And, I
don't even have to know your username, you will provide me with that
too, without your knowledge or intervention.

> It doesn’t work well with BYOD clients that have dynamic VLAN placement 
based on returned filter-IDs from a RADIUS/NPS server.

This hasn't been our experience. We place users based on their
username. However, we are using PEAP.

> Most vendors walk you through a quick and dirty setup of NPS for 802.1x 
auth and VLAN placement, and therefore, they are interested in simple auth at 
the expense of security.  However, with Android 11 (and possibly a bit further 
back), that bypass of “don’t validate”, etc, isn’t an option.

I am guessing this is deliberate.

I get the temptation to not validate, I do. Android has the worst
onboarding options of any mainstream OS right now, and it's
embarrassing they haven't fixed it. But this is a step in the right
direction, painful as it might be.


--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=01%7C01%7Ccressel%40UNR.EDU%7C4f07f3bfc40f41fc7e3608d86fa6fb94%7C523b4bfc0ebd4c03b2b96f6a17fd31d8%7C1sdata=jq28t8WYdsWbMcrHKFQd0HMT%2B%2B%2B74OJoMKWPSKUoKYk%3Dreserved=0


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba 8.7 code.

[Cody Ensanian]

We went from 8.5.0.5 to 8.7.0.0 a few weeks ago (dual-MD cluster). After APs 
pulled their new image, they could not find the controllers (via the usual dns 
/ resolving aruba-master). 1600 APs across campus down - just great. A quick 
band-aid fix was to push the master IP via dhcp scope option 43. Colleague of 
mine has the TAC case open, but it sounds like a bug in the 8.7.0.0 code, with 
a fix coming in 8.7.1.x. Other than that (huge) issue, nothing major has come 
up (yet).

--cody

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kevin Grover
Sent: Tuesday, October 13, 2020 3:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba 8.7 code.

Greetings:

We got some AP-575's not realizing they needed 8.7 code.  Anyone running 8.7 in 
production?   Any issues?  We are running it on a stand-alone controller with 
the AP-575 attached to it, but it is causing issues when the client jumps 
between the stand-alone controller and the main cluster running 8.5.0.10.

Thanks

Kevin Grover
Network Team Manager
Utah State University
435-797-2401



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba 8.7 code.

[Floyd, Brad]

Kevin,
What type of problems is it causing? I suspect a wireless device IP change and 
a hard roam. What does your architecture look like (AP-575 vs non-575)?
Thanks,
Brad

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin Grover
Sent: Tuesday, October 13, 2020 4:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba 8.7 code.


[EXTERNAL SENDER]

Greetings:

We got some AP-575's not realizing they needed 8.7 code.  Anyone running 8.7 in 
production?   Any issues?  We are running it on a stand-alone controller with 
the AP-575 attached to it, but it is causing issues when the client jumps 
between the stand-alone controller and the main cluster running 8.5.0.10.

Thanks

Kevin Grover
Network Team Manager
Utah State University
435-797-2401



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Aruba 8.7 code.

[Kevin Grover]

Greetings:

We got some AP-575’s not realizing they needed 8.7 code.  Anyone running 8.7 in 
production?   Any issues?  We are running it on a stand-alone controller with 
the AP-575 attached to it, but it is causing issues when the client jumps 
between the stand-alone controller and the main cluster running 8.5.0.10.

Thanks

Kevin Grover
Network Team Manager
Utah State University
435-797-2401



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Hunter Fuller]

On Tue, Oct 13, 2020 at 1:26 PM Fishel Erps
<0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote:
> So the issue with advance certificate onboarding is that it requires a 
> process in advance that most students would have issues with.

I just want to make sure you understand that the alternative is the
ability to impersonate the user on the network with little effort.
Did you select "Do not validate" on your Android device? Then as long
as I am within a few feet of you, or have line of sight, I can get
your AD password. That's it!
How? I can just broadcast an SSID with the same name as your
institution's network, and use a directional antenna to ensure I am
the loudest AP so you will try to associate to me. My certificate is
totally bunk, but your device doesn't care, so it will just blast your
AD password directly to my laptop.
We don't even have to be on your campus for me to do this. And, I
don't even have to know your username, you will provide me with that
too, without your knowledge or intervention.

> It doesn’t work well with BYOD clients that have dynamic VLAN placement based 
> on returned filter-IDs from a RADIUS/NPS server.

This hasn't been our experience. We place users based on their
username. However, we are using PEAP.

> Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth 
> and VLAN placement, and therefore, they are interested in simple auth at the 
> expense of security.  However, with Android 11 (and possibly a bit further 
> back), that bypass of “don’t validate”, etc, isn’t an option.

I am guessing this is deliberate.

I get the temptation to not validate, I do. Android has the worst
onboarding options of any mainstream OS right now, and it's
embarrassing they haven't fixed it. But this is a step in the right
direction, painful as it might be.


--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Tim Cappalli]

Just want to make sure it’s clear that configuring a trusted CA for EAP server 
identity and properly configuring the supplicant is not the same as enrolling a 
device with a client certificate.

Regarding simplicity at the expense of security: I’d ask why you don’t tell 
students, faculty and staff to disable all certificate validation in their 
browser so that you don’t have to purchase public CA-issued server certificates 
for your web servers, because it is easy (and free)? 

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, October 13, 2020 at 14:27
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Tim, et al,

So the issue with advance certificate onboarding is that it requires a process 
in advance that most students would have issues with. Issuing certs in advance 
is more of a process for company-owned devices.  It doesn’t work well with BYOD 
clients that have dynamic VLAN placement based on returned filter-IDs from a 
RADIUS/NPS server.

Most vendors walk you through a quick and dirty setup of NPS for 802.1x auth 
and VLAN placement, and therefore, they are interested in simple auth at the 
expense of security.  However, with Android 11 (and possibly a bit further 
back), that bypass of “don’t validate”, etc, isn’t an option.

To have a proper cert setup get pushed out to the client, there needs to be a 
more complex setup on the backend than is originally thought.

My server and AD team is actively working on this.  This article is a good 
place to start, and it has links to other portions of the setup.  I hope this 
helps.  I’ll try to let everyone know how it works out when we are done.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements


__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___




On Oct 13, 2020, at 14:00, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Just do a quick Google search and you’ll see how many situations instruct users 
to not validate the server identity (across many operating systems).

It is (and has always been) the #1 problem with legacy credentials/auth methods 
with tunneled EAP.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, October 13, 2020 at 13:59
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
I too am also interested.

Michael Catania
Sr. Network Analyst
Information Technology Services
Loyola University Chicago
P: 773.508.3712| E: mcata...@luc.edu

From: Gray, Sean
Sent: Tuesday, October 13, 2020 12:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Hi Philippe,

Thanks for sharing.

I’m interested to know if there are any higher Ed institutes out there that 
don’t onboard clients and push the necessary certs out? How will you be 
handling this change?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Philippe Hanset
Sent: October 13, 2020 11:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 11 and Cert Verification

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Fishel Erps]

Tim, et al,

So the issue with advance certificate onboarding is that it requires a
process in advance that most students would have issues with. Issuing certs
in advance is more of a process for company-owned devices.  It doesn’t work
well with BYOD clients that have dynamic VLAN placement based on returned
filter-IDs from a RADIUS/NPS server.

Most vendors walk you through a quick and dirty setup of NPS for 802.1x
auth and VLAN placement, and therefore, they are interested in simple auth
at the expense of security.  However, with Android 11 (and possibly a bit
further back), that bypass of “don’t validate”, etc, isn’t an option.

To have a proper cert setup get pushed out to the client, there needs to be
a more complex setup on the backend than is originally thought.

My server and AD team is actively working on this.  This article is a good
place to start, and it has links to other portions of the setup.  I hope
this helps.  I’ll try to let everyone know how it works out when we are
done.

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements


__
__

Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


On Oct 13, 2020, at 14:00, Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:



Just do a quick Google search and you’ll see how many situations instruct
users to not validate the server identity (across many operating systems).



It is (and has always been) the #1 problem with legacy credentials/auth
methods with tunneled EAP.



tim



*From: *The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Date: *Tuesday, October 13, 2020 at 13:59
*To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
*Subject: *Re: [WIRELESS-LAN] Android 11 and Cert Verification

I too am also interested.



*Michael Catania*

Sr. Network Analyst

Information Technology Services

Loyola University Chicago

P: 773.508.3712| E: mcata...@luc.edu



*From: *Gray, Sean 
*Sent: *Tuesday, October 13, 2020 12:57 PM
*To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject: *Re: [WIRELESS-LAN] Android 11 and Cert Verification



Hi Philippe,



Thanks for sharing.



I’m interested to know if there are any higher Ed institutes out there that
don’t onboard clients and push the necessary certs out? How will you be
handling this change?



Thanks



Sean



*Sean Gray* | B.Sc (Hons)

Voice, Collaboration & Wireless Network Analyst

ITS, University of Lethbridge



*From:* The EDUCAUSE Wireless Issues Community Group Listserv <
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Philippe Hanset
*Sent:* October 13, 2020 11:23 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Android 11 and Cert Verification



Caution: This email was sent from someone *outside of the University of
Lethbridge*. Do not click on links or open attachments unless you know they
are safe. Suspicious emails should be forwarded to phish...@uleth.ca.



It might have been mentioned on this list before.

With this one, repetition might not be a bad idea…



[PSA] Android 11's December security update will remove the ability to
disable EAP server cert validation



https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/






Best,



Philippe



Philippe Hanset, CEO
www.anyroam.net

Operator of eduroam-US






**
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy
and paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community

Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Tim Cappalli]

*organizations, not situations.

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, October 13, 2020 at 14:00
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
Just do a quick Google search and you’ll see how many situations instruct users 
to not validate the server identity (across many operating systems).

It is (and has always been) the #1 problem with legacy credentials/auth methods 
with tunneled EAP.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, October 13, 2020 at 13:59
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
I too am also interested.

Michael Catania
Sr. Network Analyst
Information Technology Services
Loyola University Chicago
P: 773.508.3712| E: mcata...@luc.edu

From: Gray, Sean
Sent: Tuesday, October 13, 2020 12:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Hi Philippe,

Thanks for sharing.

I’m interested to know if there are any higher Ed institutes out there that 
don’t onboard clients and push the necessary certs out? How will you be 
handling this change?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: October 13, 2020 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 11 and Cert Verification

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US






**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

Re: [WIRELESS-LAN] Android 11 and Cert Verification

[Tim Cappalli]

Just do a quick Google search and you’ll see how many situations instruct users 
to not validate the server identity (across many operating systems).

It is (and has always been) the #1 problem with legacy credentials/auth methods 
with tunneled EAP.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, October 13, 2020 at 13:59
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification
I too am also interested.

Michael Catania
Sr. Network Analyst
Information Technology Services
Loyola University Chicago
P: 773.508.3712| E: mcata...@luc.edu

From: Gray, Sean
Sent: Tuesday, October 13, 2020 12:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Hi Philippe,

Thanks for sharing.

I’m interested to know if there are any higher Ed institutes out there that 
don’t onboard clients and push the necessary certs out? How will you be 
handling this change?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: October 13, 2020 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 11 and Cert Verification

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US





**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 

RE: [WIRELESS-LAN] Android 11 and Cert Verification

[Catania, Michael]

I too am also interested.

Michael Catania
Sr. Network Analyst
Information Technology Services
Loyola University Chicago
P: 773.508.3712| E: mcata...@luc.edu

From: Gray, Sean
Sent: Tuesday, October 13, 2020 12:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification

Hi Philippe,

Thanks for sharing.

I’m interested to know if there are any higher Ed institutes out there that 
don’t onboard clients and push the necessary certs out? How will you be 
handling this change?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: October 13, 2020 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 11 and Cert Verification

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US




**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Android 11 and Cert Verification

[Gray, Sean]

Hi Philippe,

Thanks for sharing.

I’m interested to know if there are any higher Ed institutes out there that 
don’t onboard clients and push the necessary certs out? How will you be 
handling this change?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: October 13, 2020 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android 11 and Cert Verification

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US





**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Android 11 and Cert Verification

[Philippe Hanset]

It might have been mentioned on this list before.
With this one, repetition might not be a bad idea…

[PSA] Android 11's December security update will remove the ability to disable 
EAP server cert validation

https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/


Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US






**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community