Android 11 Update - Server Cert Validation Error and Solutions

  • 8 December 2020
  • 8 replies
  • 2496 views

Userlevel 5

Hi All

With the new Android 11 update being pushed out now.

"In December 2020, the planned Android 11 QPR1 security update will disable the ability to select “Do not validate” for the “CA Certificate” dropdown in network settings for a given SSID"

While the change itself is a minor one, it will have a disproportionately far-reaching impact. Many organizations use this setting to avoid implementing proper EAP server certificate validation due to the perceived difficulty of configuring x.509 digital certificate authentication.

Come December, Androids configured with this workaround will find their Wi-Fi services interrupted. Organizations need to address this issue now to prevent chaos as updates gradually roll out to Android devices throughout the month.

Managed devices are easy to configure and enroll, but most Android devices on a network are (understandably) BYOD. That means that, at some point in the process of configuration, the end user has to be involved. There are a myriad of different types of Androids and, despite their common operating system, they rarely all follow the same configuration blueprint. "

 

Some other Vendors allows for installation of a Certificate to Android devices using their NAC solutions. Will Extreme have a solution for this or is it something that we would need to look at some 3rd party?

 

Regards


8 replies

Userlevel 6
Badge +1

Hi Andre,

You should open a ticket at GTAC as a question for this specific topic.

 

From my perspective we’ll have to reshuffle the way we configure the services for BYOD devices.

Whatever solution we use, there will always be some action to be taken by the end users if authenticate BYOD on 802.1X enabled SSIDs.

The tricky part, is not the 802.1X, it is the user…

In big companies, you have all the profiles and some aren’t very comfortable with IT stuff.

This was the reason for the “Do not Validate” option. If this option is gone, we have to rethink the way we provide the service for the BYOD. All the on-boarding solutions I’ve seen are too complex for the lambda user.

 

Anyway, if you have some feedback from GTAC please share it.

Mig

 

 

Userlevel 1

Ask your local engineer for information about Extreme A3. And don’t worry about some indications that it is Cloud-based NAC. Installation is local and connection to CloudIQ is not required.

Userlevel 6
Badge +1

Andre,

 

You lucky guy :wink:

Mig

Userlevel 1

Miguel,

 

This one doesn’t relate to the topic :) The described feature relates to server side. It does not address a problem with the client. Client still needs to accept unknown (not validated) NAC certificate or use “don’t validate” option.

In order for server cert to be accepted by the client you have to use server cert, signed by known CA (such as Versigin, GoDaddy etc...). If your organization is using internal CA, or any kind self-signed one, which is usually the case, then you will get the same problem.

 

In order to solve it, you should at least have a possibility to push local CA public key to the client device (eg. to root certificates store). In more sophisticated scenarios you can also generate client cert and key on behalf of client and push it. It can be done only with special features on NAC side - because the NAC have to be “a broker” between CA and client, and should provide technique for delivering certs to client.

 

Adam

Userlevel 6
Badge +1

Adam,

With this option you can present a public certificate to unknown devices/users and a corporate certificate to corporate devices.

From my point of view I have a solution to my own use cases.

I’m installing this version and give feedback on it.

Regards

Mig

Userlevel 1

Adam,

With this option you can present a public certificate to unknown devices/users and a corporate certificate to corporate devices.

That is true, but still for “public” service you need to have valid/commercial certificate signed by well-known authority. This is something worth mentioning to avoid surprises :)
 

Andre in his original question asked if Extreme can provide him a solution with certificate onboarding/provisioning. YES we can.

Userlevel 6
Badge +1

Adam,

With this option you can present a public certificate to unknown devices/users and a corporate certificate to corporate devices.

That is true, but still for “public” service you need to have valid/commercial certificate signed by well-known authority. This is something worth mentioning to avoid surprises :)
 

Andre in his original question asked if Extreme can provide him a solution with certificate onboarding/provisioning. YES we can.


Indeed, I use a public certificate for a public service to avoid those onboarding issues but I need to use a corporate certificate for the corporate devices. This option is matching my use cases but not fully matching the use case of Andre.

All, I am getting same issue. Users having Google pixel phone report this issue so far.

Is there any option in extreme cloudIQ to fix the issue ? any workaround ?

 

 

 

Reply