Extreme Networks

Andre_Brits_Kan · ‎12-08-2020

Hi All

With the new Android 11 update being pushed out now.

"In December 2020, the planned Android 11 QPR1 security update will disable the ability to select “Do not validate” for the “CA Certificate” dropdown in network settings for a given SSID"

While the change itself is a minor one, it will have a disproportionately far-reaching impact. Many organizations use this setting to avoid implementing proper EAP server certificate validation due to the perceived difficulty of configuring x.509 digital certificate authentication.

Come December, Androids configured with this workaround will find their Wi-Fi services interrupted. Organizations need to address this issue now to prevent chaos as updates gradually roll out to Android devices throughout the month.

Managed devices are easy to configure and enroll, but most Android devices on a network are (understandably) BYOD. That means that, at some point in the process of configuration, the end user has to be involved. There are a myriad of different types of Androids and, despite their common operating system, they rarely all follow the same configuration blueprint. "

Some other Vendors allows for installation of a Certificate to Android devices using their NAC solutions. Will Extreme have a solution for this or is it something that we would need to look at some 3rd party?

Regards

Adam_Minowski · ‎12-23-2020

Miguel,

This one doesn’t relate to the topic 🙂 The described feature relates to server side. It does not address a problem with the client. Client still needs to accept unknown (not validated) NAC certificate or use “don’t validate” option.

In order for server cert to be accepted by the client you have to use server cert, signed by known CA (such as Versigin, GoDaddy etc...). If your organization is using internal CA, or any kind self-signed one, which is usually the case, then you will get the same problem.

In order to solve it, you should at least have a possibility to push local CA public key to the client device (eg. to root certificates store). In more sophisticated scenarios you can also generate client cert and key on behalf of client and push it. It can be done only with special features on NAC side - because the NAC have to be “a broker” between CA and client, and should provide technique for delivering certs to client.

Adam

Miguel-Angel_RO · ‎12-23-2020

Andre,

You lucky guy

aac9684f123f40bd82f95e1963b905d9_bf396d11-47f0-4990-9b04-0c0b5701e2f5.png

Mig

Adam_Minowski · ‎12-19-2020

Ask your local engineer for information about Extreme A3. And don’t worry about some indications that it is Cloud-based NAC. Installation is local and connection to CloudIQ is not required.

Miguel-Angel_RO · ‎12-08-2020

Hi Andre,

You should open a ticket at GTAC as a question for this specific topic.

From my perspective we’ll have to reshuffle the way we configure the services for BYOD devices.

Whatever solution we use, there will always be some action to be taken by the end users if authenticate BYOD on 802.1X enabled SSIDs.

The tricky part, is not the 802.1X, it is the user…

In big companies, you have all the profiles and some aren’t very comfortable with IT stuff.

This was the reason for the “Do not Validate” option. If this option is gone, we have to rethink the way we provide the service for the BYOD. All the on-boarding solutions I’ve seen are too complex for the lambda user.

Anyway, if you have some feedback from GTAC please share it.

Mig

Extreme Networks

Android 11 Update - Server Cert Validation Error and Solutions

Android 11 Update - Server Cert Validation Error and Solutions