RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Side-Note that I wanted to mention about the wlan profiles in Android 10 and Android 11. At least in several of the devices I've had, there's a GUI defect where if you view a saved WLAN Profile – it’ll appear that the certificate settings have reverted back to “System Settings” – which can be a nuisance for two reasons. One being no visual distinction for end user that the profile is actually enforcing CA restrictions or the perception that the wlan profile isn’t configured correctly - https://issuetracker.google.com/issues/157535154 Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook<https://www.facebook.com/ISUITHelp/> and Twitter<https://twitter.com/ISUITHelp> -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hunter Fuller Sent: Tuesday, September 22, 2020 1:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu>] Tim, We use CAT but we had to develop those instructions because CAT on Android is very, very difficult for non-technical users. I guess we will have to revise them. Unfortunately it does not appear that the OP's institution is a member of eduroam, so CAT won't help them in any case. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > You can only install a CA from inside the Settings now to prevent users from > unintentionally installing a malicious root. > > Assuming you don't have a commercial supplicant provisioning platform, why > not just use the CAT tool? > > tim > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > > Sent: Tuesday, September 22, 2020 14:15 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and > WPA-Enterprise > > Try these instructions. We had one Android 11 user report that they > work. You will obviously need a copy of your institution's > certificate. > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > > > Tim, > > > > We use: > > > > EAP Method = PEAP > > Phase 2 = MSCHAPv2 > > CA Certificate = Unspecified > > Identity = [username] > > Password = [password] > > > > The credentials trigger the return of a filter-ID from the RADIUS server to > > the controller, which the controller then uses to put the user into a VLAN. > > > > Some android devices that are running version 11 no-longer have an option > > of “unspecified” under CA Certificate, and none of the other choices seem > > to work. > > > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > > > On Sep 22, 2020, at 12:04, Tim Cappalli > > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > > > Can you please provide some basic details? > > > > What exactly is "broken"? > > Which EAP method? > > Which credential type? > > How is/was the supplicant provisioned? > > Are only
Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, We use CAT but we had to develop those instructions because CAT on Android is very, very difficult for non-technical users. I guess we will have to revise them. Unfortunately it does not appear that the OP's institution is a member of eduroam, so CAT won't help them in any case. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > You can only install a CA from inside the Settings now to prevent users from > unintentionally installing a malicious root. > > Assuming you don't have a commercial supplicant provisioning platform, why > not just use the CAT tool? > > tim > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > > Sent: Tuesday, September 22, 2020 14:15 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and > WPA-Enterprise > > Try these instructions. We had one Android 11 user report that they > work. You will obviously need a copy of your institution's > certificate. > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > > > Tim, > > > > We use: > > > > EAP Method = PEAP > > Phase 2 = MSCHAPv2 > > CA Certificate = Unspecified > > Identity = [username] > > Password = [password] > > > > The credentials trigger the return of a filter-ID from the RADIUS server to > > the controller, which the controller then uses to put the user into a VLAN. > > > > Some android devices that are running version 11 no-longer have an option > > of “unspecified” under CA Certificate, and none of the other choices seem > > to work. > > > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > > > On Sep 22, 2020, at 12:04, Tim Cappalli > > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > > > Can you please provide some basic details? > > > > What exactly is "broken"? > > Which EAP method? > > Which credential type? > > How is/was the supplicant provisioned? > > Are only new devices affected or just upgraded devices? > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > > on behalf of Fishel Erps > > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> > > Sent: Tuesday, September 22, 2020 12:02 > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > Hi, > > > > v11 seems to have broken credential authentication for RADIUS and > > WPA2-Enterprise/802.1x. > > > > Has anyone found a workaround? > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > C: 347-539-6380 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > ** > > Replies to EDUCAUSE Community Group emails are sent to the entire community > > list. If
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
You can only install a CA from inside the Settings now to prevent users from unintentionally installing a malicious root. Assuming you don't have a commercial supplicant provisioning platform, why not just use the CAT tool? tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller Sent: Tuesday, September 22, 2020 14:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Try these instructions. We had one Android 11 user report that they work. You will obviously need a copy of your institution's certificate. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > Tim, > > We use: > > EAP Method = PEAP > Phase 2 = MSCHAPv2 > CA Certificate = Unspecified > Identity = [username] > Password = [password] > > The credentials trigger the return of a filter-ID from the RADIUS server to > the controller, which the controller then uses to put the user into a VLAN. > > Some android devices that are running version 11 no-longer have an option of > “unspecified” under CA Certificate, and none of the other choices seem to > work. > > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > > On Sep 22, 2020, at 12:04, Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > Can you please provide some basic details? > > What exactly is "broken"? > Which EAP method? > Which credential type? > How is/was the supplicant provisioned? > Are only new devices affected or just upgraded devices? > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, September 22, 2020 12:02 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > Hi, > > v11 seems to have broken credential authentication for RADIUS and > WPA2-Enterprise/802.1x. > > Has anyone found a workaround? > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > C: 347-539-6380 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0 > > ** > Replies