Wireless Access

 View Only
last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

CA Certificate Validation on Android devices

This thread has been viewed 118 times

  • 1.  CA Certificate Validation on Android devices

    Posted Jan 13, 2021 02:56 PM
    Hello everyone,

    As you likely know,  Android will be removing the CA certificate "Do not validate" option in the Wi-Fi EAP settings as of Android 11 QPR1 that is due to be released in December 2020. At the moment on our wifi we simply instruct people to select "Do not validate" when connecting to our wifi though due to androids changes we obviously cant do that anymore.

    does anyone have a link to a guide for not only what type of certificate to use for this purpose but also where to apply it in the GUI? for context we are running version 8.4 MM based set with 2 7210s as the controllers.

    Will be more than happy to provide further info when needed.


    ------------------------------
    Thanks,
    Will
    ------------------------------


  • 2.  RE: CA Certificate Validation on Android devices

    EMPLOYEE
    Posted Jan 14, 2021 04:40 AM
    I heard the same and think it is a good idea as the 'do not validate' option should not be in there as it will put your user credentials at a big risk. Especially when using password authentication, you should not ever disable certificate validation unless you don't care about the user password (like in guest/throwaway passwords).

    Where this change seems to come from is the WPA3 certification that makes EAP server certificate validation mandatory.

    The recommended place to put your 802.1X server certificate is on your RADIUS server, like ClearPass. Do you authenticate your users on a RADIUS server?
    Authenticating users on the controller, or 'eap termination' is deprecated but works in some corner cases. In that case the certificate considerations are equal to requesting a certificate on ClearPass. Good source is the Certificates 101 document available at arubanetworks.com/clearpassdocs.

    It depends a bit on your situation, but in general using your own private CA is the better choice for EAP server certificates. As getting the clients/supplicants configured is not obvious for end users, using Active Directory group policies or a EMM/MDM Device management system for managed devices, or ClearPass Onboard for self-service onboarding of unmanaged devices are the preferred options.

    Your Aruba partner, Aruba support or your local Aruba SE should be able to have a closer look at your specific situation and recommend the best approach.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: CA Certificate Validation on Android devices

    Posted Jan 14, 2021 06:26 AM
    Hi Herman,

    Thanks for the pointer, we do authenticate with a separate radius suite rather than locally or with Clearpass and have avoided eap termination as the radius setup has more than enough grunt for the requests.

    I have messaged our SE and Ill see what he has to say.

    Thanks again for the advise.

    ------------------------------
    Will Stoner
    ------------------------------

    Original Message


  • 4.  RE: CA Certificate Validation on Android devices

    MVP
    Posted Jan 14, 2021 12:24 PM
    I was researching and reading about this upcoming change too (which is a good one from a security perspective). My main concern comes from the standpoint of working at a higher-ed institute where we have mostly BYOD and no MDM.

    Am I correct in thinking that as long as we apply a server cert to our radius server (clearpass in our case) that was issued by a "big name" CA, the root CA should hopefully come preinstalled with most major android devices, and so when these devices connect to our network, they should trust our radius server's cert just fine.


  • 5.  RE: CA Certificate Validation on Android devices

    MVP EXPERT
    Posted Jan 14, 2021 06:18 PM

    You should never use a public CA for an EAP server certificate.

    If you're going to use legacy authentication methods (you really shouldn't but...), you need to properly configure the supplicants. This could be via a commercial tool like ClearPass QuickConnect, SecureW2, Cloudpath, etc or you can use the CAT tool from eduroam.

    Any managed devices should receive the configuration through the management platform.



    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 6.  RE: CA Certificate Validation on Android devices

    EMPLOYEE
    Posted Jan 18, 2021 04:46 AM
    Regardless of your EAP certificate is issued by a 'big name CA' or your private CA, there is no way for the client to validate the certificate as the SSID is not part of any certificate. Unmanaged users will need to accept the certificate under all circumstances, and in fact, as Tim mentioned they should not as the client supplicant needs to be properly configured unless you want to put your users' credentials at risk.

    There is no real benefit of using a public CA for EAP server certificates, there are a few cautions as I mentioned before.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 7.  RE: CA Certificate Validation on Android devices

    Posted Jan 18, 2021 04:55 AM
    Thanks for all of the feedback everyone, this has given me a lot of points to discuss with the team about how best to approach this. Clearpass was something we were considering but CAT might be more appropriate for us due to our circumstances.

    Thanks again

    ------------------------------
    Will Stoner
    ------------------------------

    Original Message


  • 8.  RE: CA Certificate Validation on Android devices

    Posted Jul 27, 2023 05:14 PM

    Hello Herman and Tim,

    I know you answered the question 'Why not to use public CA for EAP authentication' and I understand your point reagarding security of user credentials. But I'm interested in a guest Wi-Fi network access.

    • We're looking for a solution to provide encrypted and user authenticated access to a visitors Wi-Fi network.
    • Registration of visitors account is done in advance by a specific groups of employees using ClearPass Guest module. Random usernames and passwords are generated by ClearPass.
    • The visitors receive access credentials via SMS gateway.
    • The visitors can connect their personal devices (smart phones, laptops) into guest network. Various operating system can be connected.
    • We have no control of guest devices.

    So we implemented PEAP with MSCHAPv2 (legacy method) because there are used throwaway passwords for authentication. The guest accounts are valid maximally for 48 hours and then deleted.

    Is it acceptable/technically possile to use a EAP certificate signed by well known public CA on ClearPass for such a guest service? If so are there any specific requirements for such a certificated (like what to put in CN, SAN or extended key usage)? The expectation is that visitors can connect to WPA2-Enterprise network (PEAP with MSCHAPv2) without complicated WLAN profile creation and without getting an error of untrusted server certificate.

    Thanks in advance for your comment.

    Jakub


    Original Message


  • 9.  RE: CA Certificate Validation on Android devices

    EMPLOYEE
    Posted Jul 28, 2023 09:33 AM

    Yes, it will just work with a well known public CA, it's just that Android users will still need to select MSCHAPv2 and the root CA as the option for not checking the server CA is no longer available in some modern Android versions.

    Main reason for not recommending public CAs is that there is barely benefit because users will still need to configure the root CA or accept the certificate (depending the device type) and with public CAs you never know if you can get a new certificate from the same CA after a year, and public certs have a maximum validity of 1 year (ok, just above one year to allow smooth rollover).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 01:59 PM
    Hi Herman,

    Currently I'm facing this issue whereby Android 11 devices unable to authenticate to dot11x SSID. I created a TAC case and the only workaround for this (besides than getting public CA) is manually imported the .pem EAP certificate from CPPM to the Android devices. However, this workaround don't seem to work. In addition, you mentioned is best to use self-signed cert for EAP server certificate. If that's the case how can I resolve this Android 11 new security enhancement?

    ------------------------------
    DarrenPJW
    ------------------------------

    Original Message


  • 11.  RE: CA Certificate Validation on Android devices

    MVP EXPERT
    Posted Apr 26, 2021 02:03 PM
    If you're going to continue using legacy authentication methods, you need to push users through a supplicant provisioning utility/wizard.

    Also, your EAP server certificate should NEVER be self-signed.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 12.  RE: CA Certificate Validation on Android devices

    Posted Apr 26, 2021 04:14 PM
    Hi Tim,

    Thanks for feedback. We are still running the normal WPA2-Enterprise authentication method. What do you mean by supplicant provisioning utility? 

    My bad, what I meant was private CA for EAP server certificate. How can I resolve this Android 11 authentication issue then?

    ------------------------------
    DarrenPJW
    ------------------------------

    Original Message


  • 13.  RE: CA Certificate Validation on Android devices

    MVP EXPERT
    Posted Apr 26, 2021 04:19 PM
    WPA2-Enterprise is not an authentication method. I assume you're using PEAPv0/EAP-MSCHAPv2? If so, this legacy method requires supplicant provisioning just like other operating systems for proper configuration. The recommended path is to switch to modern auth using EAP-TLS, but if you choose to stay on legacy auth, you'll need to acquire third party solution that handles supplicant provisioning.

    RE: CA, yes, the EAP server certificate should always be issued from an organizationally controlled PKI.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 14.  RE: CA Certificate Validation on Android devices

    Posted Jul 28, 2023 02:32 AM

    Looks like to me that you are aiming towards ClearPass Onboard module. This module is meant to be used for BYOD devices and enable easier certificate deployment and wifi setup of non-company controlled devices.

    Best, Gorazd 



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 15.  RE: CA Certificate Validation on Android devices

    Posted Jul 28, 2023 05:44 AM

    Hello Gorazd,

    I got your point, but I'm looking for a simpler solution not involving visitors device onboarding. The visitors are connecting to the network just for couple of hours and leaving the building. In this case I see visitors devices onboarding as a bit complicated method. 

    Question is if it is possible to use well known public CA to sign ClearPass EAP certificate to let the Android devices successfully authenticate. Does Android use a built-in operating system certificate store for EAP authentication purposes? Are there any specific requirements for EAP server certificate to pass Android's server verification during EAP authentication?

    Thanks in advance for your comments.


    Original Message


  • 16.  RE: CA Certificate Validation on Android devices

    Posted Jul 28, 2023 08:21 AM

    If you will have dedicated clearpass server for guests I think this could work ok. Using enterprise clearpass server with public CA for radius for internal and external users can be tricky.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 17.  RE: CA Certificate Validation on Android devices

    Posted Aug 15, 2023 01:34 AM

    Hello Gorazd,

    the idea is to use a separate service certificate dedicated only for guest access. I don't see a need for a separate ClearPass server.

    Regards,

    Jakub


    Original Message


  • 18.  RE: CA Certificate Validation on Android devices

    Posted Aug 15, 2023 06:03 AM

    Hi Jakub.

    Looks like my reply went to wrong thread :-( I was replying on RADIUS certificate thread. Sorry for confusion.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message