cancel
Showing results for 
Search instead for 
Did you mean: 

Android 11 Update - Server Cert Validation Error and Solutions

Android 11 Update - Server Cert Validation Error and Solutions

Andre_Brits_Kan
Contributor II

Hi All

With the new Android 11 update being pushed out now.

"In December 2020, the planned Android 11 QPR1 security update will disable the ability to select “Do not validate” for the “CA Certificate” dropdown in network settings for a given SSID"

While the change itself is a minor one, it will have a disproportionately far-reaching impact. Many organizations use this setting to avoid implementing proper EAP server certificate validation due to the perceived difficulty of configuring x.509 digital certificate authentication.

Come December, Androids configured with this workaround will find their Wi-Fi services interrupted. Organizations need to address this issue now to prevent chaos as updates gradually roll out to Android devices throughout the month.

Managed devices are easy to configure and enroll, but most Android devices on a network are (understandably) BYOD. That means that, at some point in the process of configuration, the end user has to be involved. There are a myriad of different types of Androids and, despite their common operating system, they rarely all follow the same configuration blueprint. "

 

Some other Vendors allows for installation of a Certificate to Android devices using their NAC solutions. Will Extreme have a solution for this or is it something that we would need to look at some 3rd party?

 

Regards

8 REPLIES 8

ramesh_pandey
New Contributor

All, I am getting same issue. Users having Google pixel phone report this issue so far.

Is there any option in extreme cloudIQ to fix the issue ? any workaround ?

 

 

 

Miguel-Angel_RO
Valued Contributor II

That is true, but still for “public” service you need to have valid/commercial certificate signed by well-known authority. This is something worth mentioning to avoid surprises 🙂
 

Andre in his original question asked if Extreme can provide him a solution with certificate onboarding/provisioning. YES we can.


Indeed, I use a public certificate for a public service to avoid those onboarding issues but I need to use a corporate certificate for the corporate devices. This option is matching my use cases but not fully matching the use case of Andre.

Adam_Minowski
Extreme Employee

That is true, but still for “public” service you need to have valid/commercial certificate signed by well-known authority. This is something worth mentioning to avoid surprises 🙂
 

Andre in his original question asked if Extreme can provide him a solution with certificate onboarding/provisioning. YES we can.

Miguel-Angel_RO
Valued Contributor II

Adam,

With this option you can present a public certificate to unknown devices/users and a corporate certificate to corporate devices.

From my point of view I have a solution to my own use cases.

I’m installing this version and give feedback on it.

Regards

Mig

GTM-P2G8KFN