Hi Jamie,
In a Cisco WLC client RUN state is derived from association and authentication states, for any dot1x authenticated WLAN the WLC will only forward or proxy DHCP requests once auth state is passed. If your clients are associated ie connected but not authenticated they won't get an IP address. You can check client auth state or debug them by running the following at the CLI: (6th column below for auth state) (WLC2-DCU) >show client summ Number of Clients................................ 3 GLAN/ RLAN/ MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired Tunnel Role ----------------- ------------------------------ ---- ------------- ----- ---- ---------------- ---- ----- ------- ---------------- 08:3d:88:57:29:be AP1810w_sandycove_44B8 0 Associated 17 Yes 802.11n(2.4 GHz) 13 No No Local ac:5f:3e:c1:d9:11 AP1810w_sandycove_44B8 0 Associated 17 Yes 802.11n(2.4 GHz) 13 No No Local f8:3f:51:3a:8d:92 AP1810w_sandycove_4690 1 Associated 17 Yes 802.11ac(5 GHz) 13 No No Local then run a “show client detail <mac_address>” and scroll down to look for EAP message timeouts or failures. Number of Interim-Update Sent.............. 0 Number of EAP Id Request Msg Timeouts...... 0 Number of EAP Id Request Msg Failures...... 0 Number of EAP Request Msg Timeouts......... 0 Number of EAP Request Msg Failures......... 0 Number of EAP Key Msg Timeouts............. 1 Number of EAP Key Msg Failures............. 0 Number of Data Retries..................... 1220 Number of RTS Retries...................... 0 Number of Duplicate Received Packets....... 0 Number of Decrypt Failed Packets........... 0 Number of Mic Failured Packets............. 0 Number of Mic Missing Packets.............. 0 Number of RA Packets Dropped............... 0 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ -69 dBm Signal to Noise Ratio...................... 26 dB “debug aaa events enable” can also help. Rgds Carlo On 11/09/2020, 21:25, "The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Floyd, Brad" <[email protected] on behalf of [email protected]> wrote: Jamie, Not getting an IP address (assuming no IP infrastructure / routing failure) could definitely be a result of a certificate failure during the 4-way handshake, therefore causing an 802.1X failure. I believe there is a particular step in the 4-way handshake that likely indicates a certificate failure, but I don't remember off the top of my head which one it is. Thanks, Brad -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:[email protected]] On Behalf Of Price, Jamie G Sent: Friday, September 11, 2020 1:14 PM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Article: Android 11 tightens restrictions on CA certificates On our Cisco controllers, I see some devices "connected" and they should be issued a DHCP address in this network. They are not getting an IP address (0.0.0.0). Is this a symptom they are not passing with the cert? Thus failing 802.1x? Thank you -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Higgins, Benjamin J Sent: Friday, September 11, 2020 7:19 AM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Article: Android 11 tightens restrictions on CA certificates Can confirm that this "feature" has prevented SecureW2 from onboarding Android 11 devices to our network. While the app appears to *deliver* the certificates - they are in the drop down when you edit the WiFi Profile - if you attempt to connect to the network is sits and spins. If you edit the profile again, you will find that the SecureW2 delivered certificate is no longer in the drop down list. Only "Use system certificates" or "Do not validate" is there... -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Jonathan Waldrep Sent: Friday, September 11, 2020 8:39 AM To: [email protected] Subject: [EXT] Re: [WIRELESS-LAN] Article: Android 11 tightens restrictions on CA certificates On 2020-09-10 22:19:21, Johnson, Christopher wrote: > This popped up in my news feed, that's going to affect the user experience even more for onboarding apps for those with private CAs I'd imagine. > > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttptoolkit.tech%2Fblog%2Fandroid-11-trust-ca-certificates&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=OLv50t%2FT%2Fjj9eK1Dhj05DgE2YspIyuAKrdT5HIbpQs8%3D&reserved=0 > > "In Android 11, to install a CA certificate, users need to manually: > > * Open settings > * Go to 'Security' > * Go to 'Encryption & Credentials' > * Go to 'Install from storage' > * Select 'CA Certificate' from the list of types available > * Accept a large scary warning > * Browse to the certificate file on the device and open it > * Confirm the certificate install > > Applications and automation tools can send you to the general 'Security' settings page, but no further: from there the user must go alone (fiddly if not impossible with test automation tools) tldr: I don't think this impacts certificates installed for Wi-Fi networks. They are handled differently. I would like someone who has experience with actually writing an on-boarding app to chime in, though. Longer dive: It is worth noting that when you manually install a CA in Android, it asks if you want to install it for "VPN and apps" or "Wi-Fi" (at least on Android 9, which is what I'm on). This indicates there is something different on the back end. From the article, it seems to stem from Google locking down the KeyChain.createInstallIntent() API method [1] in the android.security package. Ultimately what we are after is setting up a wireless profile. How does that work? Well, there is an android.net.wifi package [2]. Let's look there. There is a WifiConfiguration class, but there is a note that it was deprecated in API level 29 (Android 10), and to use WifiNetworkSpecifier.Builder instead [3]. The article is specifically about Android 11, so we don't care about older versions. In the WifiNetworkSpecifier.Builder class, there is a public method setWpa2EnterpriseConfig(WifiEnterpriseConfig enterpriseConfig). So we need a WifiEnterpriseConfig class [4]. The WifiEnterpriseConfig class has a method setCaCertificate(X509Certificate cert) [5] which, as you may have guessed, is used to "Specify a X.509 certificate that identifies the server." This takes an X509Certificate class, which is part of the java.security.cert package. We should be able to provide that irrespective of what Android does. That is all good in theory, but what does an actual onboarding app do? The only open source one I'm aware of is eduroamCAT [6]. It seems to have issues with Android 10 [7], so it may not be the best example, but it's what I can find. A quick grep of the repository for "createInstallIntent" returns no hits. That's a good sign. Similarly, a grep for "setCaCertificate" has a hit in src/uk/ac/swansea/eduroamcat/WifiConfigAPI18.java. So it looks like eduroamCAT needs updated for API level 29, but it doesn't use the problematic method from the article (which was added in API level 14). [1] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Freference%2Fandroid%2Fsecurity%2FKeyChain%23createInstallIntent&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=rX0467d89iKWgBXyy05YvtLHWjeGdXayJWCpG25DQug%3D&reserved=0() [2] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Freference%2Fandroid%2Fnet%2Fwifi%2Fpackage-summary&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=BBaurXtPgq9H9CG8bG79Gln5Wd8OCBVTd5g4GDcOdks%3D&reserved=0 [3] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Freference%2Fandroid%2Fnet%2Fwifi%2FWifiNetworkSpecifier.Builder&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=Uw8xu4AG%2BLonAyH0QYZfZEcknGkxsyFyff9TmomHe%2Bk%3D&reserved=0 [4] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Freference%2Fandroid%2Fnet%2Fwifi%2FWifiEnterpriseConfig&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=KfWGfYrmVfo3fRHWuZgovkaF1v%2BuVRFw42MUCkv3WX4%3D&reserved=0 [5] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Freference%2Fandroid%2Fnet%2Fwifi%2FWifiEnterpriseConfig%23setCaCertificate&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483916966&sdata=BlznjgQLt1nfTQqd%2FoJYmpWUn5s1szz0jmznk4SobDc%3D&reserved=0(java.security.cert.X509Certificate) [6] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FGEANT%2FCAT-Android&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483926957&sdata=RlNGw8V5GAlvjPbAJCpytxRcjNOmtXVGzDNOkhhybkQ%3D&reserved=0 [7] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FGEANT%2FCAT-Android%2Fissues%2F37&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483926957&sdata=K2TQU7hUVdKV97FDepI26GN%2BgaAnl8Uw4xuZOz%2BXt1U%3D&reserved=0 -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cbjhiggins%40WPI.EDU%7C5ac7d0e54c9043231cc208d8564faaa5%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637354247483926957&sdata=mEQ0YMgYDX7ITdsQUvThK1%2Bgys4fnLLABSGCdYqFAFM%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
