I’m arguing on behalf of the many poorly-resourced environments where NPS has a marginal cost of zero, and that enabling TOFU would be a simple thing to improve their security. Most of these places don’t have the budget or expertise for something like CPPM (I have it and even I’m intimidated by it). Microsoft isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported in Azure). It’s the responsibility of vendors to provide accessible tools for security.
-- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Turpin, Max Sent: Sunday, 17 January 2021 7:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification You do have to maintain a pki or have someone else do it but CRLs are hardly necessary if you do identity checking as part of your radius service. If you want to do posture checking you will need to use some sort of agent (as far as I know) so that could certainly be part of your on boarding solution. The fact that the majority of environments fail to deploy 802.1x correctly doesn’t take away the responsibility of institutions to fix it and provide a secure solution to users even if it means educating the administration and users on what must be done now to access the network. And as we almost all know, the problem is not a technical one now, but one of communication. Max On Jan 16, 2021, at 10:56 AM, James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> wrote: Certificate enrolment sucks for BYOD though, there’s no ongoing posture checking, and you have to maintain a CA and CRL. SSH uses TOFU and is more comparable to RADIUS in that you only connect to a limited number of hosts with rarely changing fingerprints. I find it curious that this change is only on Pixel devices, is that because no others have Android 11 or because only Google is implementing it? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification EAP-TLS is modern, strong authentication. And enrollment can even use passwordless. Imagine of browsers operated on the TOFU model? *tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:31:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification I disagree, but OWE or SAE with a captive portal then? At least I can use modern authentication methods like hardware keys and TOTP with a browser. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Because trust on first use is almost as bad as not trusting at all. Properly deploy 802.1X or don't use it. Sorry to be harsh but this same conversation multiple times per year, every year is tiring. Tom ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au<mailto:jandrewar...@ccgs.wa.edu.au>> Sent: Saturday, January 16, 2021 10:11:00 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS and macOS, and Microsoft has in Windows? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 6:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification > “many colleges provided instructions as such.” This is one of the many reasons the change was made. Not just colleges, enterprises as well. These instructions are worse than instructing users to do to this: chrome.exe --ignore-certificate-errors tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Angelo Santabarbara <asantabarb...@siena.edu<mailto:asantabarb...@siena.edu>> Date: Friday, January 15, 2021 at 17:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Correct Tim. I failed to clarify that you can no longer setup eduroam profiles manually without a certificate. Previously this worked and many colleges provided instructions as such. With the most recent update this is no longer possible so we had to resort to using the eduroam CAT tool to provide a simple method of joining eduroam. —Angelo D. Santabarbara, MBA Director Networks & Systems | Siena College O 518-782-6996 E asantabarb...@siena.edu<mailto:asantabarb...@siena.edu> W siena.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131475340-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DFGMYdsJkr4nBPulho2WRJvNBsyc2DndGV3EFJMSPRYY-253D-26reserved-3D0&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=SrcnPKF_40hbfF6aCAwke1PiC15DnWkWS1hlpU94LqA&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131485330-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3Db-252BR9h2Z6rOqvrq5efLD8LL-252BPGQuETP-252FAQBqPLPlK4B8-253D-26reserved-3D0&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=ihKhVMVxFYNtrnrFG3YKpzixbg5z_ny7KF5sZgzif-4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131485330-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3Db-252BR9h2Z6rOqvrq5efLD8LL-252BPGQuETP-252FAQBqPLPlK4B8-253D-26reserved-3D0&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=ihKhVMVxFYNtrnrFG3YKpzixbg5z_ny7KF5sZgzif-4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131495325-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g-253D-26reserved-3D0&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=m-BH4OjdETxzCStOqTJoPfFIDn76ISnWwqxPP5B1JpA&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131495325-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g-253D-26reserved-3D0&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=m-BH4OjdETxzCStOqTJoPfFIDn76ISnWwqxPP5B1JpA&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=5ztxNWEHvRsT7DjyaQjGVXauvd-Btk-8-5gohXACDTc&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE&s=5ztxNWEHvRsT7DjyaQjGVXauvd-Btk-8-5gohXACDTc&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community