And I should add, you do not have to use client certificates to address the core challenge of properly configuring supplicants in a wizard-like fashion while protecting user credentials in federated environments.
A per-device username and password can be used in combination with profile-based provisioning (available in some way, shape or form on each platform). This is actually what many non-cellular SPs use for Passpoint. Example: Username: 1264CCBB-0D2E-44C5-B045-6D191EA65A4D Password: y7A96MhKjf05R5nueRtk1QZ9TEqhlhY6zL Anonymous Identity: anonym...@mydomain.edu<mailto:anonym...@mydomain.edu> (This is actually how I deploy my personal network using some custom logic in CPPM š ) While itās not as strong as a certificate and is not a device bound credential, it is better than using a userās credentials (even when the supplicant is managed) and can be embedded into a profile in a web-based enrollment flow. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Saturday, January 16, 2021 at 11:12 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification * Certificate enrolment sucks for BYOD though, thereās no ongoing posture checking, and you have to maintain a CA and CRL. There are many aaS offerings and even the on-premises solutions do most of the CA management automagically. It is rare that you need to fully manage a PKI for unmanaged device access. * SSH uses TOFU and is more comparable to RADIUS in that you only connect to a limited number of hosts with rarely changing fingerprints. Sure, but the fingerprint for an SSH server can be explicitly compared since it is equivalent to a self-signed trust model. There are also ways of binding an SSH server fingerprint to a domain name that is queried and evaluated on connection. That doesnāt exist with EAP. * I find it curious that this change is only on Pixel devices, is that because no others have Android 11 or because only Google is implementing it? The change was made in the core Android code. Pixels usually roll out new code first. As other OEMs integrate the code, it will show up. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au> Date: Saturday, January 16, 2021 at 10:56 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Certificate enrolment sucks for BYOD though, thereās no ongoing posture checking, and you have to maintain a CA and CRL. SSH uses TOFU and is more comparable to RADIUS in that you only connect to a limited number of hosts with rarely changing fingerprints. I find it curious that this change is only on Pixel devices, is that because no others have Android 11 or because only Google is implementing it? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification EAP-TLS is modern, strong authentication. And enrollment can even use passwordless. Imagine of browsers operated on the TOFU model? *tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:31:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification I disagree, but OWE or SAE with a captive portal then? At least I can use modern authentication methods like hardware keys and TOTP with a browser. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Because trust on first use is almost as bad as not trusting at all. Properly deploy 802.1X or don't use it. Sorry to be harsh but this same conversation multiple times per year, every year is tiring. Tom ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:11:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Why couldnāt Google add trust-on-first-use to Android like Apple has with iOS and macOS, and Microsoft has in Windows? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 6:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification > āmany colleges provided instructions as such.ā This is one of the many reasons the change was made. Not just colleges, enterprises as well. These instructions are worse than instructing users to do to this: chrome.exe --ignore-certificate-errors tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Angelo Santabarbara <asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>> Date: Friday, January 15, 2021 at 17:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Correct Tim. I failed to clarify that you can no longer setup eduroam profiles manually without a certificate. Previously this worked and many colleges provided instructions as such. With the most recent update this is no longer possible so we had to resort to using the eduroam CAT tool to provide a simple method of joining eduroam. āAngelo D. Santabarbara, MBA Director Networks & Systems | Siena College O 518-782-6996 E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu> W siena.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579508346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9aO7CYmwp3iv60UYnJ0fFq%2Fb09L7cu%2FcnWj6Jf8FAbE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579518341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vIwuEeYmEJeJ19Rpz2f1j6w%2BpiynyT5KT0dRd%2FPO%2Fck%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579518341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vIwuEeYmEJeJ19Rpz2f1j6w%2BpiynyT5KT0dRd%2FPO%2Fck%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579528331%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IcU6338Gh8RTNFfsHwViba3ZGPsY%2Bt8cxT5Ffrrtd4o%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579538329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IuZ8APotE5WVgOXMj2elf%2BZ0oTqYEFp%2FLw%2FD9eqR1ck%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579538329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IuZ8APotE5WVgOXMj2elf%2BZ0oTqYEFp%2FLw%2FD9eqR1ck%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579548319%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sPlV42uS2Z4Qj7lRdpSzvMfQe48EQFYf8CsJx%2FYPpRw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C741256b7faef4d363bf808d8ba39890e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637464103579548319%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sPlV42uS2Z4Qj7lRdpSzvMfQe48EQFYf8CsJx%2FYPpRw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community