You should avoid using a public CA issued web server certificates for an EAP server identity wherever possible.
But to directly answer your question, yes, you'd select Use System Certificates and set the subject name. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> on behalf of Tariq Adnan <[email protected]> Sent: Tuesday, September 22, 2020, 22:04 To: [email protected] Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi Tim, How about choosing “use system certificate”, provided the CA cert is a valid public cert (QuoVadis CA) and in default certificate store of Android? Thanks, From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Fishel Erps Sent: Wednesday, 23 September 2020 5:17 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, Thank you. This was extremely helpful. __________________________________ __________________________________ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416<tel:212-592-2416> E: [email protected]<mailto:[email protected]> _______________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device _______________________________ On Sep 22, 2020, at 15:13, Tim Cappalli <[email protected]<mailto:[email protected]>> wrote: Fishel - as an aside, if the configuration guidance to users has been to ignore the EAP server identity or configure their devices to not validate it and the credential used for Wi-Fi is their primary password, I highly recommend you issue an organization-wide password reset as all of those credentials may have been compromised. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Felix Windt <[email protected]<mailto:[email protected]>> Sent: Tuesday, September 22, 2020 15:10 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise https://www.eduroam.org/configuration-assistant-tool-cat/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FH83ZCk81N9t2QxV6f2CKrv%3Fdomain%3Deduroam.org%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554596634&sdata=pdW1tfy9ba96gP3PYEFJVCBsTneUnVhbNvx0DmbaVcs%3D&reserved=0> thx, felix From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Patrick Mauretti <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> Date: Tuesday, September 22, 2020 at 3:02 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Okay I’ll bite. What’s the CAT tool you mentioned? Link? -Patrick From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> On Behalf Of Floyd, Brad Sent: Tuesday, September 22, 2020 3:00 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise CAUTION: This email originated from outside of Massasoit. Do not click links or open attachments unless you recognize the sender and know the content is safe. Fishel, We have run into this on some versions of Android OS and the solution that works for us is to import our CA’s root certificate into the device. Once we import the root certificate and select it during the profile setup, the connection is established. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:[email protected]] On Behalf Of Fishel Erps Sent: Tuesday, September 22, 2020 12:10 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android 11 and WPA-Enterprise Tim, We use: EAP Method = PEAP Phase 2 = MSCHAPv2 CA Certificate = Unspecified Identity = [username] Password = [password] The credentials trigger the return of a filter-ID from the RADIUS server to the controller, which the controller then uses to put the user into a VLAN. Some android devices that are running version 11 no-longer have an option of “unspecified” under CA Certificate, and none of the other choices seem to work. __________________________________ __________________________________ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-241<tel:212-592-2416>6 E: [email protected]<mailto:[email protected]> _______________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device _______________________________ On Sep 22, 2020, at 12:04, Tim Cappalli <[email protected]<mailto:[email protected]>> wrote: Can you please provide some basic details? * What exactly is "broken"? * Which EAP method? * Which credential type? * How is/was the supplicant provisioned? * Are only new devices affected or just upgraded devices? ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Fishel Erps <[email protected]<mailto:[email protected]>> Sent: Tuesday, September 22, 2020 12:02 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [WIRELESS-LAN] Android 11 and WPA-Enterprise Hi, v11 seems to have broken credential authentication for RADIUS and WPA2-Enterprise/802.1x. Has anyone found a workaround? __________________________________ __________________________________ Fishel Erps, Sr. Network & Infrastructure Engineer School of Visual Arts 136 W 21st St., 8th Floor New York, NY, 10011 LL: 212-592-2416<tel:212-592-2416> C: 347-539-6380<tel:347-539-6380> E: [email protected]<mailto:[email protected]> _______________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device _______________________________ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2F9eyUCmO5gluynOwKcBW6Eq%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554596634&sdata=9ZUtxXtz6yQhJzz9gAe3lUIOz4hxM%2FGbyvlJgUI8C28%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2F2h4LCnx1jni9o80qIZAiSQ%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554606590&sdata=0Epq7rRqbnBaT40m6CXWsZQKnk00KnMnbmEBBy%2B6%2Bgk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FQTpYCoV1kpf2zONLfOPr_n%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554606590&sdata=z2AApCVNtgU09mvExaBhPW6aySqA6AcZDj4pHB06k18%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FIQcDCp81lrt48YrNU2N_Nk%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554606590&sdata=34WZZmjKkMMq9U4SAhW%2BhxH5akj%2FSS%2FFmJh0HuW4kNw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FxjJ-Cq71mwfY5qAPsqhtoX%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554616543&sdata=NkGBCJlqDwkeU%2BM5wSi5eAo5k%2FsvuhNBeDRDhUrUGJs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FAkVfCr81nytQvgK0cQBypO%3Fdomain%3Dnam06.safelinks.protection.outlook.com&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554616543&sdata=cl0Soytk5ka%2BEqfGuTEAWPPyg%2BWOUKbKpPi3yalYokE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FyN_fClx1NjiRZQJ5c9NNh4%3Fdomain%3Deducause.edu&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554626505&sdata=ws7jjA7FlqdRbN1CQ07O8xU1DXCbE0UCWEYbhwgMnVc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect-au.mimecast.com%2Fs%2FyN_fClx1NjiRZQJ5c9NNh4%3Fdomain%3Deducause.edu&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554626505&sdata=ws7jjA7FlqdRbN1CQ07O8xU1DXCbE0UCWEYbhwgMnVc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce931942d792949012b0508d85f64f7ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637364234554626505&sdata=DxD5k8xsKiddHd0hrrivJeLlvXcVnfrNEKFJb1ANd5E%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
