The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Roberto Flor <flor AT fbk.eu>]

I had the same issue in January, first  with Google Pixel devices and next with Samsung devices.

After googling around I found that In December 2020, the  Android 11 QPR1 security disabled the ability to select “Do not validate” for the “CA Certificate” dropdown in network settings for a given SSID and changed the supplicant behaviour.

Note that the changes are in the WPA3 specification, not in Android documentation. This implies that the same issue could be shown up  for other operating systems in the future as the wpa3  spread around.

See https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf    Chapter 5.

Merging multiple answers I was able to fix  the problem and keep PEAP authentication on Android 11. I had to :

1.   change the radius server certificate, modifying the freeradius server certificate generation to add the new wpa3 extension and the server SAN
2.   use the new geteduroam app to install the eduroam configuration, manual configuration is quite complex and unstable

On already configured devices ( Android 11 or older, Windows, Mac)  everything works, since I kept the same ca/key combination. 

This recent advisory  https://community.jisc.ac.uk/library/network-and-technology-service-docs/2021-04-advisory-android-11-configuration-issues   summarize everything.

Roberto Flor

On Mon, May 10, 2021 at 1:33 PM Thorsten Fritsch <thorsten.fritsch AT unibas.ch> wrote:

Dear All,

 

we’re facing an issue with Samsung Android 11 clients not being able to connect to eduroam.

It seems Samsung has changed the PEAP implementation for Android 11 and it’s no longer compliant to the standard.

 

As a workaround we found it’s possible to use EAP-TTLS instead of PEAP.

In general (for all Non Android 11 clients) we’d like to retain EAP-PEAP as first EAP type and change it to EAP-TTLS/MSCHAPv2

for Android 11 clients only. But as far as we know it’s only possible to define this generally for all clients.

 

We’re wondering if it might be possible to have an extra installer only for Android 11 clients with EAP-TTLS to avoid having to

change the EAP-types manually on the Android 11 clients. Are you facing similar issues with Android 11 clients and 802.1x/PEAP ?

 

Thanks and best,

Thorsten

 

 

 

 

 

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Le informazioni contenute nella presente comunicazione sono di natura privata e come tali sono da considerarsi riservate ed indirizzate esclusivamente ai destinatari indicati e per le finalità strettamente legate al relativo contenuto. Se avete ricevuto questo messaggio per errore, vi preghiamo di eliminarlo e di inviare una comunicazione all’indirizzo e-mail del mittente.

--

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you received this in error, please contact the sender and delete the material.