Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

CA Certificate Validation on Android devices

  • 1.  CA Certificate Validation on Android devices

    Posted 13 days ago
    Hello everyone,

    As you likely know,  Android will be removing the CA certificate "Do not validate" option in the Wi-Fi EAP settings as of Android 11 QPR1 that is due to be released in December 2020. At the moment on our wifi we simply instruct people to select "Do not validate" when connecting to our wifi though due to androids changes we obviously cant do that anymore.

    does anyone have a link to a guide for not only what type of certificate to use for this purpose but also where to apply it in the GUI? for context we are running version 8.4 MM based set with 2 7210s as the controllers.

    Will be more than happy to provide further info when needed.


    ------------------------------
    Thanks,
    Will
    ------------------------------


  • 2.  RE: CA Certificate Validation on Android devices

    Posted 12 days ago
    I heard the same and think it is a good idea as the 'do not validate' option should not be in there as it will put your user credentials at a big risk. Especially when using password authentication, you should not ever disable certificate validation unless you don't care about the user password (like in guest/throwaway passwords).

    Where this change seems to come from is the WPA3 certification that makes EAP server certificate validation mandatory.

    The recommended place to put your 802.1X server certificate is on your RADIUS server, like ClearPass. Do you authenticate your users on a RADIUS server?
    Authenticating users on the controller, or 'eap termination' is deprecated but works in some corner cases. In that case the certificate considerations are equal to requesting a certificate on ClearPass. Good source is the Certificates 101 document available at arubanetworks.com/clearpassdocs.

    It depends a bit on your situation, but in general using your own private CA is the better choice for EAP server certificates. As getting the clients/supplicants configured is not obvious for end users, using Active Directory group policies or a EMM/MDM Device management system for managed devices, or ClearPass Onboard for self-service onboarding of unmanaged devices are the preferred options.

    Your Aruba partner, Aruba support or your local Aruba SE should be able to have a closer look at your specific situation and recommend the best approach.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: CA Certificate Validation on Android devices

    Posted 12 days ago
    Hi Herman,

    Thanks for the pointer, we do authenticate with a separate radius suite rather than locally or with Clearpass and have avoided eap termination as the radius setup has more than enough grunt for the requests.

    I have messaged our SE and Ill see what he has to say.

    Thanks again for the advise.

    ------------------------------
    Will Stoner
    ------------------------------



  • 4.  RE: CA Certificate Validation on Android devices

    Posted 12 days ago
    I was researching and reading about this upcoming change too (which is a good one from a security perspective). My main concern comes from the standpoint of working at a higher-ed institute where we have mostly BYOD and no MDM.

    Am I correct in thinking that as long as we apply a server cert to our radius server (clearpass in our case) that was issued by a "big name" CA, the root CA should hopefully come preinstalled with most major android devices, and so when these devices connect to our network, they should trust our radius server's cert just fine.

    ------------------------------
    Cody Ensanian
    ------------------------------



  • 5.  RE: CA Certificate Validation on Android devices

    Posted 12 days ago

    You should never use a public CA for an EAP server certificate.

    If you're going to use legacy authentication methods (you really shouldn't but...), you need to properly configure the supplicants. This could be via a commercial tool like ClearPass QuickConnect, SecureW2, Cloudpath, etc or you can use the CAT tool from eduroam.

    Any managed devices should receive the configuration through the management platform.



    ------------------------------
    Tim C
    ------------------------------



  • 6.  RE: CA Certificate Validation on Android devices

    Posted 8 days ago
    Regardless of your EAP certificate is issued by a 'big name CA' or your private CA, there is no way for the client to validate the certificate as the SSID is not part of any certificate. Unmanaged users will need to accept the certificate under all circumstances, and in fact, as Tim mentioned they should not as the client supplicant needs to be properly configured unless you want to put your users' credentials at risk.

    There is no real benefit of using a public CA for EAP server certificates, there are a few cautions as I mentioned before.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: CA Certificate Validation on Android devices

    Posted 8 days ago
    Thanks for all of the feedback everyone, this has given me a lot of points to discuss with the team about how best to approach this. Clearpass was something we were considering but CAT might be more appropriate for us due to our circumstances.

    Thanks again

    ------------------------------
    Will Stoner
    ------------------------------