I heard the same and think it is a good idea as the 'do not validate' option should not be in there as it will put your user credentials at a big risk. Especially when using password authentication, you should not ever disable certificate validation unless you don't care about the user password (like in guest/throwaway passwords).
Where this change seems to come from is the WPA3 certification that makes EAP server certificate validation mandatory.
The recommended place to put your 802.1X server certificate is on your RADIUS server, like ClearPass. Do you authenticate your users on a RADIUS server?
Authenticating users on the controller, or 'eap termination' is deprecated but works in some corner cases. In that case the certificate considerations are equal to requesting a certificate on ClearPass. Good source is the Certificates 101 document available at
arubanetworks.com/clearpassdocs.
It depends a bit on your situation, but in general using your own private CA is the better choice for EAP server certificates. As getting the clients/supplicants configured is not obvious for end users, using Active Directory group policies or a EMM/MDM Device management system for managed devices, or ClearPass Onboard for self-service onboarding of unmanaged devices are the preferred options.
Your Aruba partner, Aruba support or your local Aruba SE should be able to have a closer look at your specific situation and recommend the best approach.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Jan 13, 2021 10:46 AM
From: Will Stoner
Subject: CA Certificate Validation on Android devices
Hello everyone,
As you likely know, Android will be removing the CA certificate "Do not validate" option in the Wi-Fi EAP settings as of Android 11 QPR1 that is due to be released in December 2020. At the moment on our wifi we simply instruct people to select "Do not validate" when connecting to our wifi though due to androids changes we obviously cant do that anymore.
does anyone have a link to a guide for not only what type of certificate to use for this purpose but also where to apply it in the GUI? for context we are running version 8.4 MM based set with 2 7210s as the controllers.
Will be more than happy to provide further info when needed.
------------------------------
Thanks,
Will
------------------------------