Re: [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Fishel, I'm no Tim, but I do have a fairly in-depth understanding of the mechanics at work regarding 802.1X server certificates, and my number is in my signature. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Sep 23, 2020 at 8:13 AM Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > Tim, > > Do you have a few minutes for a phone call? Could you please send me a > number where I can reach you? > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > C: 347-539-6380 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > > On Sep 23, 2020, at 09:09, Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > You should avoid using a public CA issued web server certificates for an EAP > server identity wherever possible. > > But to directly answer your question, yes, you'd select Use System > Certificates and set the subject name. > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Tariq Adnan > <01e6b38f57b3-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, September 22, 2020, 22:04 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > Hi Tim, > > > > How about choosing “use system certificate”, provided the CA cert is a valid > public cert (QuoVadis CA) and in default certificate store of Android? > > > > Thanks, > > > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Fishel Erps > Sent: Wednesday, 23 September 2020 5:17 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > Tim, > > > > Thank you. This was extremely helpful. > > > > > > __ > __ > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > E: fe...@sva.edu > ___ > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > > > On Sep 22, 2020, at 15:13, Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > Fishel - as an aside, if the configuration guidance to users has been to > ignore the EAP server identity or configure their devices to not validate it > and the credential used for Wi-Fi is their primary password, I highly > recommend you issue an organization-wide password reset as all of those > credentials may have been compromised. > > > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Felix Windt > > Sent: Tuesday, September 22, 2020 15:10 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > https://www.eduroam.org/configuration-assistant-tool-cat/ > > > > thx, > > felix > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Patrick Mauretti > > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > > Date: Tuesday, September 22, 2020 at 3:02 PM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > Okay I’ll bite. What’s the CAT tool you mentioned? Link? > > > > -Patrick > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Floyd, Brad > Sent: Tuesday, September 22, 2020 3:00 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > CAUTION: This email originated from outside of Massasoit. Do not click links > or open attachments unless you recognize the sender and know the content is > safe. > > > > Fishel, > > We have run into this on some versions of Android OS and the solution that > works for
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, Do you have a few minutes for a phone call? Could you please send me a number where I can reach you? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 23, 2020, at 09:09, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: You should avoid using a public CA issued web server certificates for an EAP server identity wherever possible. But to directly answer your question, yes, you'd select Use System Certificates and set the subject name. -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tariq Adnan < 01e6b38f57b3-dmarc-requ...@listserv.educause.edu> *Sent:* Tuesday, September 22, 2020, 22:04 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi Tim, How about choosing “use system certificate”, provided the CA cert is a valid public cert (QuoVadis CA) and in default certificate store of Android? Thanks, *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Fishel Erps *Sent:* Wednesday, 23 September 2020 5:17 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, Thank you. This was extremely helpful. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Felix Windt < felix.wi...@dartmouth.edu> *Sent:* Tuesday, September 22, 2020 15:10 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FH83ZCk81N9t2QxV6f2CKrv%3Fdomain%3Deduroam.org%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554596634=pdW1tfy9ba96gP3PYEFJVCBsTneUnVhbNvx0DmbaVcs%3D=0> thx, felix *From: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Patrick Mauretti < pmaure...@massasoit.mass.edu> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Tuesday, September 22, 2020 at 3:02 PM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Floyd, Brad *Sent:* Tuesday, September 22, 2020 3:00 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise *CAUTION:* This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad *From:* The EDUCAUSE Wireless Issues Community Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] *On Behalf Of *Fishel Erps *Sent:* Tuesday, September 22, 2020 12:10 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
You should avoid using a public CA issued web server certificates for an EAP server identity wherever possible. But to directly answer your question, yes, you'd select Use System Certificates and set the subject name. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tariq Adnan <01e6b38f57b3-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, September 22, 2020, 22:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi Tim, How about choosing “use system certificate”, provided the CA cert is a valid public cert (QuoVadis CA) and in default certificate store of Android? Thanks, From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Fishel Erps Sent: Wednesday, 23 September 2020 5:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, Thank you. This was extremely helpful. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Felix Windt mailto:felix.wi...@dartmouth.edu>> Sent: Tuesday, September 22, 2020 15:10 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FH83ZCk81N9t2QxV6f2CKrv%3Fdomain%3Deduroam.org%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554596634=pdW1tfy9ba96gP3PYEFJVCBsTneUnVhbNvx0DmbaVcs%3D=0> thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Patrick Mauretti mailto:pmaure...@massasoit.mass.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, September 22, 2020 at 3:02 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. ___
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, Do you have time for a short phone call? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Felix Windt < felix.wi...@dartmouth.edu> *Sent:* Tuesday, September 22, 2020 15:10 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/ thx, felix *From: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Patrick Mauretti < pmaure...@massasoit.mass.edu> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Tuesday, September 22, 2020 at 3:02 PM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Floyd, Brad *Sent:* Tuesday, September 22, 2020 3:00 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise *CAUTION:* This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad *From:* The EDUCAUSE Wireless Issues Community Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] *On Behalf Of *Fishel Erps *Sent:* Tuesday, September 22, 2020 12:10 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-241 <212-592-2416>6 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Can you please provide some basic details? - What exactly is "broken"? - Which EAP method? - Which credential type? - How is/was the supplicant provisioned? - Are only new devices affected or just upgraded devices? -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps < 0030ecf871d2-dmarc-requ...@listserv.educause.edu> *Sent:* Tuesday, September 22, 2020 12:02 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my
RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Hi Tim, How about choosing “use system certificate”, provided the CA cert is a valid public cert (QuoVadis CA) and in default certificate store of Android? Thanks, From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Fishel Erps Sent: Wednesday, 23 September 2020 5:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, Thank you. This was extremely helpful. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Felix Windt mailto:felix.wi...@dartmouth.edu>> Sent: Tuesday, September 22, 2020 15:10 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/<https://protect-au.mimecast.com/s/H83ZCk81N9t2QxV6f2CKrv?domain=eduroam.org/> thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Patrick Mauretti mailto:pmaure...@massasoit.mass.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Tuesday, September 22, 2020 at 3:02 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, Thank you. This was extremely helpful. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 15:13, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Felix Windt < felix.wi...@dartmouth.edu> *Sent:* Tuesday, September 22, 2020 15:10 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/ thx, felix *From: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Patrick Mauretti < pmaure...@massasoit.mass.edu> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Date: *Tuesday, September 22, 2020 at 3:02 PM *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Floyd, Brad *Sent:* Tuesday, September 22, 2020 3:00 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise *CAUTION:* This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad *From:* The EDUCAUSE Wireless Issues Community Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] *On Behalf Of *Fishel Erps *Sent:* Tuesday, September 22, 2020 12:10 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-241 <212-592-2416>6 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Can you please provide some basic details? - What exactly is "broken"? - Which EAP method? - Which credential type? - How is/was the supplicant provisioned? - Are only new devices affected or just upgraded devices? -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps < 0030ecf871d2-dmarc-requ...@listserv.educause.edu> *Sent:* Tuesday, September 22, 2020 12:02 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Felix Windt Sent: Tuesday, September 22, 2020 15:10 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/ thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Patrick Mauretti Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, September 22, 2020 at 3:02 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu<mailto:0030ecf871d2-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd8595
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
https://www.eduroam.org/configuration-assistant-tool-cat/ thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Patrick Mauretti Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Tuesday, September 22, 2020 at 3:02 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu<mailto:0030ecf871d2-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc7e0c7adea9e47936d3f08d85f2a12d8%7C995b093648d640e5a31ebf689ec9446f%7C0%7C1%7C637363981604712798=tgp9YrJBVLgeu5ycN346DnzLbZ%2BeRCb7skhgcSdGJ80%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CDVsJezVNbC-Bu8iK8EC73RXBiDNNtsRQO_ckowELWILmF1MKA2YEacySjZ
RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu<mailto:0030ecf871d2-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc513832f4fde442dae2508d85f10ebc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363873568555671=0GlPZcJBj%2B7eA4oEvpfBfuCWaZxZqCpEGym%2FG18SrXk%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity=E,1,DVsJezVNbC-Bu8iK8EC73RXBiDNNtsRQO_ckowELWILmF1MKA2YEacySjZV14zIJtaDjL3Ywap4VU8NU2hf3vxjlpofH8N5smhn0lhtq6HcDTn6KCCL3sPo,=1> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educ
RE: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu<mailto:0030ecf871d2-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc513832f4fde442dae2508d85f10ebc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363873568555671=0GlPZcJBj%2B7eA4oEvpfBfuCWaZxZqCpEGym%2FG18SrXk%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Side-Note that I wanted to mention about the wlan profiles in Android 10 and Android 11. At least in several of the devices I've had, there's a GUI defect where if you view a saved WLAN Profile – it’ll appear that the certificate settings have reverted back to “System Settings” – which can be a nuisance for two reasons. One being no visual distinction for end user that the profile is actually enforcing CA restrictions or the perception that the wlan profile isn’t configured correctly - https://issuetracker.google.com/issues/157535154 Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook<https://www.facebook.com/ISUITHelp/> and Twitter<https://twitter.com/ISUITHelp> -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hunter Fuller Sent: Tuesday, September 22, 2020 1:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu>] Tim, We use CAT but we had to develop those instructions because CAT on Android is very, very difficult for non-technical users. I guess we will have to revise them. Unfortunately it does not appear that the OP's institution is a member of eduroam, so CAT won't help them in any case. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > You can only install a CA from inside the Settings now to prevent users from > unintentionally installing a malicious root. > > Assuming you don't have a commercial supplicant provisioning platform, why > not just use the CAT tool? > > tim > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > > Sent: Tuesday, September 22, 2020 14:15 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and > WPA-Enterprise > > Try these instructions. We had one Android 11 user report that they > work. You will obviously need a copy of your institution's > certificate. > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > > > Tim, > > > > We use: > > > > EAP Method = PEAP > > Phase 2 = MSCHAPv2 > > CA Certificate = Unspecified > > Identity = [username] > > Password = [password] > > > > The credentials trigger the return of a filter-ID from the RADIUS server to > > the controller, which the controller then uses to put the user into a VLAN. > > > > Some android devices that are running version 11 no-longer have an option > > of “unspecified” under CA Certificate, and none of the other choices seem > > to work. > > > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > > > On Sep 22, 2020, at 12:04, Tim Cappalli > > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > > > Can you please provide some basic details? > > > > What exactly is "broken"? > > Which EAP method? > > Which credential type? > > How is/was the supplicant provisioned? > > Are only
Re: [External] Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, We use CAT but we had to develop those instructions because CAT on Android is very, very difficult for non-technical users. I guess we will have to revise them. Unfortunately it does not appear that the OP's institution is a member of eduroam, so CAT won't help them in any case. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 1:22 PM Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > You can only install a CA from inside the Settings now to prevent users from > unintentionally installing a malicious root. > > Assuming you don't have a commercial supplicant provisioning platform, why > not just use the CAT tool? > > tim > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Hunter Fuller > > Sent: Tuesday, September 22, 2020 14:15 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and > WPA-Enterprise > > Try these instructions. We had one Android 11 user report that they > work. You will obviously need a copy of your institution's > certificate. > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > > > Tim, > > > > We use: > > > > EAP Method = PEAP > > Phase 2 = MSCHAPv2 > > CA Certificate = Unspecified > > Identity = [username] > > Password = [password] > > > > The credentials trigger the return of a filter-ID from the RADIUS server to > > the controller, which the controller then uses to put the user into a VLAN. > > > > Some android devices that are running version 11 no-longer have an option > > of “unspecified” under CA Certificate, and none of the other choices seem > > to work. > > > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > > > On Sep 22, 2020, at 12:04, Tim Cappalli > > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > > > > Can you please provide some basic details? > > > > What exactly is "broken"? > > Which EAP method? > > Which credential type? > > How is/was the supplicant provisioned? > > Are only new devices affected or just upgraded devices? > > > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > > on behalf of Fishel Erps > > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> > > Sent: Tuesday, September 22, 2020 12:02 > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > > > Hi, > > > > v11 seems to have broken credential authentication for RADIUS and > > WPA2-Enterprise/802.1x. > > > > Has anyone found a workaround? > > > > > > > > __ > > __ > > > > Fishel Erps, > > Sr. Network & Infrastructure Engineer > > School of Visual Arts > > 136 W 21st St., 8th Floor > > New York, NY, 10011 > > LL: 212-592-2416 > > C: 347-539-6380 > > E: fe...@sva.edu > > ___ > > > > Please excuse any typographical > > errors as this e-mail has been sent > > from my mobile device > > ___ > > > > ** > > Replies to EDUCAUSE Community Group emails are sent to the entire community > > list. If
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
You can only install a CA from inside the Settings now to prevent users from unintentionally installing a malicious root. Assuming you don't have a commercial supplicant provisioning platform, why not just use the CAT tool? tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Hunter Fuller Sent: Tuesday, September 22, 2020 14:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Try these instructions. We had one Android 11 user report that they work. You will obviously need a copy of your institution's certificate. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuah.teamdynamix.com%2FTDClient%2F2075%2FPortal%2FKB%2FArticleDet%3FID%3D84342data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=2NjMMbhReWpbYGQk3pN6xNF%2BsxHpUnDSm1RTm5reIxQ%3Dreserved=0 -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > Tim, > > We use: > > EAP Method = PEAP > Phase 2 = MSCHAPv2 > CA Certificate = Unspecified > Identity = [username] > Password = [password] > > The credentials trigger the return of a filter-ID from the RADIUS server to > the controller, which the controller then uses to put the user into a VLAN. > > Some android devices that are running version 11 no-longer have an option of > “unspecified” under CA Certificate, and none of the other choices seem to > work. > > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > > On Sep 22, 2020, at 12:04, Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > Can you please provide some basic details? > > What exactly is "broken"? > Which EAP method? > Which credential type? > How is/was the supplicant provisioned? > Are only new devices affected or just upgraded devices? > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, September 22, 2020 12:02 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > Hi, > > v11 seems to have broken credential authentication for RADIUS and > WPA2-Enterprise/802.1x. > > Has anyone found a workaround? > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > C: 347-539-6380 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunitydata=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C7a6227f7cbbf452acf5208d85f238224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363953684306020sdata=5R4mqpUD8YmQ%2BkaPMmmAwsxkYJ4EmCxmQG8%2B6EkBjIQ%3Dreserved=0 > > ** > Replies
Re: [External] Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Try these instructions. We had one Android 11 user report that they work. You will obviously need a copy of your institution's certificate. https://uah.teamdynamix.com/TDClient/2075/Portal/KB/ArticleDet?ID=84342 -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Sep 22, 2020 at 12:10 PM Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> wrote: > > Tim, > > We use: > > EAP Method = PEAP > Phase 2 = MSCHAPv2 > CA Certificate = Unspecified > Identity = [username] > Password = [password] > > The credentials trigger the return of a filter-ID from the RADIUS server to > the controller, which the controller then uses to put the user into a VLAN. > > Some android devices that are running version 11 no-longer have an option of > “unspecified” under CA Certificate, and none of the other choices seem to > work. > > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > > On Sep 22, 2020, at 12:04, Tim Cappalli > <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > > > Can you please provide some basic details? > > What exactly is "broken"? > Which EAP method? > Which credential type? > How is/was the supplicant provisioned? > Are only new devices affected or just upgraded devices? > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Fishel Erps > <0030ecf871d2-dmarc-requ...@listserv.educause.edu> > Sent: Tuesday, September 22, 2020 12:02 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise > > Hi, > > v11 seems to have broken credential authentication for RADIUS and > WPA2-Enterprise/802.1x. > > Has anyone found a workaround? > > > > __ > __ > > Fishel Erps, > Sr. Network & Infrastructure Engineer > School of Visual Arts > 136 W 21st St., 8th Floor > New York, NY, 10011 > LL: 212-592-2416 > C: 347-539-6380 > E: fe...@sva.edu > ___ > > Please excuse any typographical > errors as this e-mail has been sent > from my mobile device > ___ > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Not validating the EAP server identity is not really a valid configuration. You need to properly configure the supplicant with a trust anchor and subject name. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, September 22, 2020 1:10:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu<mailto:0030ecf871d2-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc1cc8384d36d4ea7a02608d85f1a63c9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363914240525482=XrUKKt1wvdKB9xFzuUH6vexOPHjdWN0kEs2hP%2BGG9ik%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc1cc8384d36d4ea7a02608d85f1a63c9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363914240535477=qUgKhY%2Bdb2sSPQAn1Qx%2BywuNQaBh7uWHyXXM8qfmeGM%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc1cc8384d36d4ea7a02608d85f1a63c9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363914240535477=qUgKhY%2Bdb2sSPQAn1Qx%2BywuNQaBh7uWHyXXM8qfmeGM%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-241 <212-592-2416>6 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ On Sep 22, 2020, at 12:04, Tim Cappalli < 0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Can you please provide some basic details? - What exactly is "broken"? - Which EAP method? - Which credential type? - How is/was the supplicant provisioned? - Are only new devices affected or just upgraded devices? -- *From:* The EDUCAUSE Wireless Issues Community Group Listserv < WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Fishel Erps < 0030ecf871d2-dmarc-requ...@listserv.educause.edu> *Sent:* Tuesday, September 22, 2020 12:02 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc513832f4fde442dae2508d85f10ebc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363873568555671=0GlPZcJBj%2B7eA4oEvpfBfuCWaZxZqCpEGym%2FG18SrXk%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise
Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Fishel Erps <0030ecf871d2-dmarc-requ...@listserv.educause.edu> Sent: Tuesday, September 22, 2020 12:02 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __ __ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416 C: 347-539-6380 E: fe...@sva.edu<mailto:fe...@sva.edu> ___ Please excuse any typographical errors as this e-mail has been sent from my mobile device ___ ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc513832f4fde442dae2508d85f10ebc1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637363873568555671=0GlPZcJBj%2B7eA4oEvpfBfuCWaZxZqCpEGym%2FG18SrXk%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community