Certificate enrolment sucks for BYOD though, there's no ongoing posture checking, and you have to maintain a CA and CRL.
SSH uses TOFU and is more comparable to RADIUS in that you only connect to a limited number of hosts with rarely changing fingerprints. I find it curious that this change is only on Pixel devices, is that because no others have Android 11 or because only Google is implementing it? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification EAP-TLS is modern, strong authentication. And enrollment can even use passwordless. Imagine of browsers operated on the TOFU model? *tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:31:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification I disagree, but OWE or SAE with a captive portal then? At least I can use modern authentication methods like hardware keys and TOTP with a browser. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Because trust on first use is almost as bad as not trusting at all. Properly deploy 802.1X or don't use it. Sorry to be harsh but this same conversation multiple times per year, every year is tiring. Tom ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:11:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Why couldn't Google add trust-on-first-use to Android like Apple has with iOS and macOS, and Microsoft has in Windows? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 6:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification > "many colleges provided instructions as such." This is one of the many reasons the change was made. Not just colleges, enterprises as well. These instructions are worse than instructing users to do to this: chrome.exe --ignore-certificate-errors tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Angelo Santabarbara <asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>> Date: Friday, January 15, 2021 at 17:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Correct Tim. I failed to clarify that you can no longer setup eduroam profiles manually without a certificate. Previously this worked and many colleges provided instructions as such. With the most recent update this is no longer possible so we had to resort to using the eduroam CAT tool to provide a simple method of joining eduroam. -Angelo D. Santabarbara, MBA Director Networks & Systems | Siena College O 518-782-6996 E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu> W siena.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cbca42b32c52d4179d81608d8ba33cfcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464079131475340%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FGMYdsJkr4nBPulho2WRJvNBsyc2DndGV3EFJMSPRYY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cbca42b32c52d4179d81608d8ba33cfcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464079131485330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=b%2BR9h2Z6rOqvrq5efLD8LL%2BPGQuETP%2FAQBqPLPlK4B8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cbca42b32c52d4179d81608d8ba33cfcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464079131485330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=b%2BR9h2Z6rOqvrq5efLD8LL%2BPGQuETP%2FAQBqPLPlK4B8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cbca42b32c52d4179d81608d8ba33cfcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464079131495325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cbca42b32c52d4179d81608d8ba33cfcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464079131495325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
