James, So far this has been a largely technical discussion. I think that misses the point a bit. Before you can agree on the best technical implementation you must first establish what you’re trying to accomplish. So before we can decide how best to implement 802.1X, we must consider why we use 802.1X in the first place.
I can think of three reasons to provide authenticated Wi-Fi common to most institutions who provide it: 1. To limit access to institutional resources to those who require them. 2. To manage the risk and liability of being a network provider by being able to identify potential abusers on our networks. 3. To help protect the data privacy of our users. This list isn’t comprehensive and a few of us may take issue with item 2, but I think these reasons are common and compelling. Misconfigured 802.1X supplicants put the authentication credentials at risk. Insecure credentials undermine the main reasons for doing 802.1X in the first place. In some ways it’s even worse than not doing 802.1X at all. It not only leads to a false sense of security, but compromised credentials undermine the security of other authenticated systems in a way that open wi-fi does not. I cringe every time some tech writer or IT leader at my institution refers to our 802.1X SSID as “Secure Wi-Fi”, and manual configuration of Android and Windows devices are my main objection. If you’re not going to ensure your 1X supplicants are properly configured, why use it at all? Even if you conclude that there are marginal benefits of 1X despite potentially insecure credentials, I think you must admit that item 3 provides sufficient reason for Google to act. Furthermore, while I agree that Google’s move makes the job harder for some of us, it finally ensures that manually configured 802.1X networks on Android can be trusted. My preference would be for Google to make it easier to configure a secure network connection on their devices, but let’s not condemn them for requiring us to follow best practice. Any institution who finds this too big a burden to provide 802.1X Wi-Fi may want to reconsider their network security paradigms. There are other viable approaches. Chuck Enfield Manager, Wireless & Cellular Penn State IT From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of James Andrewartha Sent: Saturday, January 16, 2021 9:31 PM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification I’m arguing on behalf of the many poorly-resourced environments where NPS has a marginal cost of zero, and that enabling TOFU would be a simple thing to improve their security. Most of these places don’t have the budget or expertise for something like CPPM (I have it and even I’m intimidated by it). Microsoft isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported in Azure). It’s the responsibility of vendors to provide accessible tools for security. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Turpin, Max Sent: Sunday, 17 January 2021 7:49 AM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Android 11 and Cert Verification You do have to maintain a pki or have someone else do it but CRLs are hardly necessary if you do identity checking as part of your radius service. If you want to do posture checking you will need to use some sort of agent (as far as I know) so that could certainly be part of your on boarding solution. The fact that the majority of environments fail to deploy 802.1x correctly doesn’t take away the responsibility of institutions to fix it and provide a secure solution to users even if it means educating the administration and users on what must be done now to access the network. And as we almost all know, the problem is not a technical one now, but one of communication. Max On Jan 16, 2021, at 10:56 AM, James Andrewartha <[email protected]<mailto:[email protected]>> wrote: Certificate enrolment sucks for BYOD though, there’s no ongoing posture checking, and you have to maintain a CA and CRL. SSH uses TOFU and is more comparable to RADIUS in that you only connect to a limited number of hosts with rarely changing fingerprints. I find it curious that this change is only on Pixel devices, is that because no others have Android 11 or because only Google is implementing it? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:33 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification EAP-TLS is modern, strong authentication. And enrollment can even use passwordless. Imagine of browsers operated on the TOFU model? *tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of James Andrewartha <[email protected]<mailto:[email protected]>> Sent: Saturday, January 16, 2021 10:31:27 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification I disagree, but OWE or SAE with a captive portal then? At least I can use modern authentication methods like hardware keys and TOTP with a browser. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 11:24 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Because trust on first use is almost as bad as not trusting at all. Properly deploy 802.1X or don't use it. Sorry to be harsh but this same conversation multiple times per year, every year is tiring. Tom ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of James Andrewartha <[email protected]<mailto:[email protected]>> Sent: Saturday, January 16, 2021 10:11:00 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Why couldn’t Google add trust-on-first-use to Android like Apple has with iOS and macOS, and Microsoft has in Windows? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> On Behalf Of Tim Cappalli Sent: Saturday, 16 January 2021 6:28 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification > “many colleges provided instructions as such.” This is one of the many reasons the change was made. Not just colleges, enterprises as well. These instructions are worse than instructing users to do to this: chrome.exe --ignore-certificate-errors tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Angelo Santabarbara <[email protected]<mailto:[email protected]>> Date: Friday, January 15, 2021 at 17:25 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] Android 11 and Cert Verification Correct Tim. I failed to clarify that you can no longer setup eduroam profiles manually without a certificate. Previously this worked and many colleges provided instructions as such. With the most recent update this is no longer possible so we had to resort to using the eduroam CAT tool to provide a simple method of joining eduroam. —Angelo D. Santabarbara, MBA Director Networks & Systems | Siena College O 518-782-6996 E [email protected]<mailto:[email protected]> W siena.edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd7b8a5c46dec41792dab08d8b9a46c44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637463463147866490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BWCJlgK%2FAoLgUdILx%2Bqx7IL4GE4MU8jWaaYF0wrs0%2F8%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131475340-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DFGMYdsJkr4nBPulho2WRJvNBsyc2DndGV3EFJMSPRYY-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3DSrcnPKF_40hbfF6aCAwke1PiC15DnWkWS1hlpU94LqA%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993489206%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=xjTeHNYgBuqg6Gx0lToQYxOf0X0Xbqu6FaWF9ED922g%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131485330-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3Db-252BR9h2Z6rOqvrq5efLD8LL-252BPGQuETP-252FAQBqPLPlK4B8-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3DihKhVMVxFYNtrnrFG3YKpzixbg5z_ny7KF5sZgzif-4%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993499194%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=PwrZ9E59exw20mzmxSu4PqOXYd4c%2F3zVAlvWncsGJyk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131485330-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3Db-252BR9h2Z6rOqvrq5efLD8LL-252BPGQuETP-252FAQBqPLPlK4B8-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3DihKhVMVxFYNtrnrFG3YKpzixbg5z_ny7KF5sZgzif-4%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993509194%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=TWiScMmjOIWVU2g9DMKc5v0W3LqZg5yE%2BdKAvRsbcAs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131495325-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3Dm-BH4OjdETxzCStOqTJoPfFIDn76ISnWwqxPP5B1JpA%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993509194%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=o4osnn7j%2BPbPaP9%2F6DpPH7xjTs1mqs4gZDWnGhDhBr0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257Cbca42b32c52d4179d81608d8ba33cfcf-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637464079131495325-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DZbbUBGHaEDTKG9vQ5cAS7yAyibW1rPQnRn1AnjOgB6g-253D-26reserved-3D0%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3Dm-BH4OjdETxzCStOqTJoPfFIDn76ISnWwqxPP5B1JpA%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993519183%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=SpdtrNNQ1BbCg9ephHSbxaOAp0BReG1Me8tLyePQo2s%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3D5ztxNWEHvRsT7DjyaQjGVXauvd-Btk-8-5gohXACDTc%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993519183%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=1o118XSqFND1RNvYtDlpiNUEa%2BrreoAzW5vhUmQEfv8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DG2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U%26r%3DzobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE%26m%3D1zmd2ONPQS8OkTWyfEPaM1eMSjWk_pprYTs1A2VEBaE%26s%3D5ztxNWEHvRsT7DjyaQjGVXauvd-Btk-8-5gohXACDTc%26e%3D&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993529179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=wQ2ezt1YX%2Fvn5zIf9IZZi5hDQPjIr5zwEjtHmSWARWc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993529179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=jv9oQtUcEz4vqOnEL%2BNwsNIBDKXr8s5qBgla4MOB%2ByU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccae104%40PSU.EDU%7C352dadf3d78146d0f25708d8ba90033e%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637464474993539173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y980ZSmx6xuFYximuf2fCIaZDKCWd8Q0FMh5ra6HrcU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
