Security

Hello team,

 

I've run into what the customer is reporting as a new issue.

 

Samsung phones running Android 8 no longer have an option to select "Use System Certificates", nor do they provide a domain name or allow use of the @domain.com to select a certificate. They are forced to select "Do Not Validate" which gives a huge warning about how "your wireless connection may not be private".

 

This is, again, reportedly new behavior. We are using a GoDaddy certificate for RADIUS and running CPPM 6.6.8. QuickConnect also fails on these devices so I cannot try to provision my way out of this issue.

 

Has anyone run across a solution for this? This seems to be a show stopper for this customer.

Manual provisioning has always been required when using legacy EAP methods like PEAP. Onboard should be used here.

Hello Tim,

 

The issue is a change in behavior for end users and the resulting increase in Help Desk workload. Previously, this worked fine. Now, it does not.

 

I can appreciate OnBoard being an alternative, but this again is impacting the end user experience and the customer is concerned about increased Help Desk workload and a lack of buy-in from stakeholders who want it "back the way it was". Obviously such a thing will have to be piloted and implemented due to the issues with this end user device OS.

 

Now, I'm pretty certain this behavior is a result of changes to the phone operating system and nothing related to Clearpass but I'd need to validate and wanted to provide something searchable on the forums for others, as I was unable to find anything here.

Not using device provisioning puts user credentials at risk, no matter what the platform. I'm not sure how else to answer. Onboard should have always been used.

I suppose I was looking for something more helpful than "buy more (or different, in this case) licensing", even if the answer is "there's nothing that can easily be done to fix this other than manually installing the certificate, figuring out why QuickConnect is a broken application on this phone, or pushing the proper connection method through EAP-TLS".

 

I think we can all appreciate customer's budget restrictions and the difficulty in selling something that, despite being sound security practice, is going to come across as "we can't support this new change in device behavior, here's a quote so we can work through this." Especially in a situation where they were sold QuickConnect "Quick Fast and easy!" to handle these issues.

 

I'll post back here with a resolution I or support find.

You didn’t mention that you had QuickConnect 😉

Please be sure to open a TAC case so we can get this resolved for QuickConnect.

It was towards the end of the first post.

 

Yeah, they're reviewing the config from QuickConnect now. We'll see what they come back with.