To add to that, I think the requirement to configure a trusted RADIUS CA originates from WPA3 that makes server validation mandatory, which on it's turn came from users in practice leaving the certificate validation disabled and putting themselves at risk (without knowing, as the system allowed them to configure an insecure configuration).
I'm not aware of any L2 authentication method that supports username-password, and is secure without server certificate checking.
The fundamental for this, is that unlike with websites, where you can check the domain name against what is in the certificate, there is no way with wireless or wired networks to do such a validation as you can configure any SSID without central registry, and on wired you even don't have an SSID.
Note that all cloud applications are moving away from password authentication as well, because the problem with passwords is that if you sniff/capture/guess the password of an account, it will probably give you access to all kinds of other services as well (VPN, mail, etc.).
EAP-TLS is the recommended authentication method for WLAN, if you need some form of security and need to prevent the credentials from being 'stolen' or re-used.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 03, 2021 05:25 AM
From: Alex Sharaz
Subject: Clearpass PEAP / EAP-TTLS, Android 11 do not validate certificate
The do not validate cert option was there so android could happily ignore checking that the ClearPass server is who it says it is and just proceed with client credential validation with every man and his dog that might decide to say "hey I'm your clearpass server just trust me and pass over your client credentials"
Its the android device that needs to know the root CA of the radius cert you have installed on your clearpass server.
If you have an onboarding system for android clients it should install the cppm radius cert root CA in android
just switching of validation of remote radius service certificates has never been a good option
Rgds
Alex
Original Message:
Sent: 9/2/2021 1:05:00 PM
From: fetict
Subject: Clearpass PEAP / EAP-TTLS, Android 11 do not validate certificate
I cant be the only one but starting to see android 11 (pixel 3) in the wild, which dont allow "do not validate certificate"
maybe our setup is wrong but our clearpass has all certificates installed (from digicert) all are valid but clients dont like validate certificate option. should we be able to have validate certificate enabled and working?
in our BYOD we are using 8021x with PEAP / Mschapv2 and due to requiring user / password auth (for our firewall) is there an alternative to PEAP which allows user to auth. can i use EAP-TTLS / MSCHAPv2 ?
or do I need to use onboarding with EAP-TLS?
------------------------------
scott young
------------------------------