Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some users to stumble through the process? Or do you somehow encourage all users to use the onboarding tool? Obviously the tool would be required if you're going down the EAP-TLS path.
Norman On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) <bosbo...@liberty.edu> wrote: > > We changed onboarding tools for non-AD devices to SecureW2 last September and > have been more than happy with their service & support. > > They tend to officially support OS versions before official release, which > can be useful in a Higher-Ed environment. > > Bruce Osborne > Liberty University > > -----Original Message----- > From: Norman Elton [mailto:normel...@gmail.com] > Sent: Tuesday, August 7, 2018 3:25 PM > Subject: Onboarding Android devices > > We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, > allowing users to connect with their domain credentials. We've shied away > from onboarding tools like SecureW2, especially for student devices, as they > seem more cumbersome than just having the user configure the connection > properly the first time. > > Preparing for the fall, we've noticed that recent versions of Android make > the process a little more cumbersome. It appears that 8.1 & 9.0 allow the > user to validate the certificate by domain, which is great. > Although the steps to get this setup are far from intuitive. > > 8.0 doesn't give that option, instead displaying a scary warning, "This > connection will not be secure". The user is forced to go ahead with "do not > validate certificate", leaving them open to leak their credentials to a rogue > AP. Far from ideal. > > Theoretically, we could ask the user to trust the CA certificate in advance, > and (hopefully) the warning message would go away. But I haven't gotten this > to work. > > Is there a general consensus that these devices are better served with an > onboarding tool that can accommodate the various flavors of Android? Or is > there a recipe for a user to setup 802.1x securely (with some sort of > certificate validation) on Android devices pre-8.1? > > Thanks, > > Norman Elton > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
