@smartin wrote:
Just to follow up on this in case anyone else had similar issues. This does not appear to be anything related to the Aruba controller. It seems that Nexus Androids 5x and above running Nougat are not able to verify the certificate from our RADIUS server when logging on to the WLAN. Other Androids have no problem with this. The work around is to set the device to "Do not verify" in the certificate drop down. There are quite a few reports of this issue on Google's Nexus Help Forum as well.
I resolved one version of this issue (Android 7) back in January and had the Help Desk update our documentation at that time - and there's documentation on some eduroam universities - but wanted to post for reference for anyone that finds this. Note this was Android 7 - Nougatt.
Background:
Back in August, a student had switched to a new Nexus 5X and was unable to connect to our wireless network "PEAP-MSCHAPv2" without specifying "Do Not Verify" under the CA certificate settings. The default "Use System Certificates" requires a Domain (Must Specify Domain) otherwise the "Save" button remains greyed out.
January:
Shift forward a few months to January when a new password change system was implemented and our IT department was encouraged to go through an account refresh before campus deployment. My co-worker was running an Android 7 phone by HTC, forgot the network to change his password, and upon configuring the new profile, found that he ran into this issue. I looked into it more and found that the Domain field needs to come from the CN/SAN of the radius certificate - not the "Active Directory - Domain/User-Name" like in previous versions of Android. I tested this on several co-workers Android 7 devices - and each of them now connect by verifying the certificate. I had our Help Desk update our KB Article to specify the CN domain for Android 7.X devices.
My co-worker's issue was the 2nd report of this issue in the 5 months of first finding this. If students had a working saved WLAN profile and then updated to Android 7 - like my 3 coworkers had initially done, the WLAN Profile would have converted without user knowledge to "Do not verify" and continue functioning up until the point forgot the network - which usually occurs during password changes.