Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

CA Certificate Validation on Android devices

This thread has been viewed 67 times
  • 1.  CA Certificate Validation on Android devices

    Posted Jan 13, 2021 02:56 PM
    Hello everyone,

    As you likely know,  Android will be removing the CA certificate "Do not validate" option in the Wi-Fi EAP settings as of Android 11 QPR1 that is due to be released in December 2020. At the moment on our wifi we simply instruct people to select "Do not validate" when connecting to our wifi though due to androids changes we obviously cant do that anymore.

    does anyone have a link to a guide for not only what type of certificate to use for this purpose but also where to apply it in the GUI? for context we are running version 8.4 MM based set with 2 7210s as the controllers.

    Will be more than happy to provide further info when needed.


    ------------------------------
    Thanks,
    Will
    ------------------------------


  • 2.  RE: CA Certificate Validation on Android devices

    Posted Jan 14, 2021 04:40 AM
    I heard the same and think it is a good idea as the 'do not validate' option should not be in there as it will put your user credentials at a big risk. Especially when using password authentication, you should not ever disable certificate validation unless you don't care about the user password (like in guest/throwaway passwords).

    Where this change seems to come from is the WPA3 certification that makes EAP server certificate validation mandatory.

    The recommended place to put your 802.1X server certificate is on your RADIUS server, like ClearPass. Do you authenticate your users on a RADIUS server?
    Authenticating users on the controller, or 'eap termination' is deprecated but works in some corner cases. In that case the certificate considerations are equal to requesting a certificate on ClearPass. Good source is the Certificates 101 document available at arubanetworks.com/clearpassdocs.

    It depends a bit on your situation, but in general using your own private CA is the better choice for EAP server certificates. As getting the clients/supplicants configured is not obvious for end users, using Active Directory group policies or a EMM/MDM Device management system for managed devices, or ClearPass Onboard for self-service onboarding of unmanaged devices are the preferred options.

    Your Aruba partner, Aruba support or your local Aruba SE should be able to have a closer look at your specific situation and recommend the best approach.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: CA Certificate Validation on Android devices

    Posted Jan 14, 2021 06:26 AM
    Hi Herman,

    Thanks for the pointer, we do authenticate with a separate radius suite rather than locally or with Clearpass and have avoided eap termination as the radius setup has more than enough grunt for the requests.

    I have messaged our SE and Ill see what he has to say.

    Thanks again for the advise.

    ------------------------------
    Will Stoner
    ------------------------------



  • 4.  RE: CA Certificate Validation on Android devices

    Posted Jan 14, 2021 12:24 PM
    I was researching and reading about this upcoming change too (which is a good one from a security perspective). My main concern comes from the standpoint of working at a higher-ed institute where we have mostly BYOD and no MDM.

    Am I correct in thinking that as long as we apply a server cert to our radius server (clearpass in our case) that was issued by a "big name" CA, the root CA should hopefully come preinstalled with most major android devices, and so when these devices connect to our network, they should trust our radius server's cert just fine.

    ------------------------------
    Cody Ensanian
    ------------------------------



  • 5.  RE: CA Certificate Validation on Android devices

    Posted Jan 14, 2021 06:18 PM

    You should never use a public CA for an EAP server certificate.

    If you're going to use legacy authentication methods (you really shouldn't but...), you need to properly configure the supplicants. This could be via a commercial tool like ClearPass QuickConnect, SecureW2, Cloudpath, etc or you can use the CAT tool from eduroam.

    Any managed devices should receive the configuration through the management platform.



    ------------------------------
    Tim C
    ------------------------------



  • 6.  RE: CA Certificate Validation on Android devices

    Posted Jan 18, 2021 04:46 AM
    Regardless of your EAP certificate is issued by a 'big name CA' or your private CA, there is no way for the client to validate the certificate as the SSID is not part of any certificate. Unmanaged users will need to accept the certificate under all circumstances, and in fact, as Tim mentioned they should not as the client supplicant needs to be properly configured unless you want to put your users' credentials at risk.

    There is no real benefit of using a public CA for EAP server certificates, there are a few cautions as I mentioned before.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: CA Certificate Validation on Android devices

    Posted Jan 18, 2021 04:55 AM
    Thanks for all of the feedback everyone, this has given me a lot of points to discuss with the team about how best to approach this. Clearpass was something we were considering but CAT might be more appropriate for us due to our circumstances.

    Thanks again

    ------------------------------
    Will Stoner
    ------------------------------



  • 8.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 01:59 PM
    Hi Herman,

    Currently I'm facing this issue whereby Android 11 devices unable to authenticate to dot11x SSID. I created a TAC case and the only workaround for this (besides than getting public CA) is manually imported the .pem EAP certificate from CPPM to the Android devices. However, this workaround don't seem to work. In addition, you mentioned is best to use self-signed cert for EAP server certificate. If that's the case how can I resolve this Android 11 new security enhancement?

    ------------------------------
    DarrenPJW
    ------------------------------



  • 9.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 02:03 PM
    If you're going to continue using legacy authentication methods, you need to push users through a supplicant provisioning utility/wizard.

    Also, your EAP server certificate should NEVER be self-signed.

    ------------------------------
    Tim C
    ------------------------------



  • 10.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 04:14 PM
    Hi Tim,

    Thanks for feedback. We are still running the normal WPA2-Enterprise authentication method. What do you mean by supplicant provisioning utility? 

    My bad, what I meant was private CA for EAP server certificate. How can I resolve this Android 11 authentication issue then?

    ------------------------------
    DarrenPJW
    ------------------------------



  • 11.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 04:19 PM
    WPA2-Enterprise is not an authentication method. I assume you're using PEAPv0/EAP-MSCHAPv2? If so, this legacy method requires supplicant provisioning just like other operating systems for proper configuration. The recommended path is to switch to modern auth using EAP-TLS, but if you choose to stay on legacy auth, you'll need to acquire third party solution that handles supplicant provisioning.

    RE: CA, yes, the EAP server certificate should always be issued from an organizationally controlled PKI.

    ------------------------------
    Tim C
    ------------------------------