<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Android 11 presents the user (and IT technicians) with unintelligible options when setting up a wifi SSID. Maybe it's documented somewhere but I don't see how the designers thought a typical user would understand any of it.</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<div></div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div style="font-family:Tahoma; font-size:13px">---
<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">
<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>
<div><span id="ms-rterangepaste-end"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> radiator <radiator-bounces@lists.open.com.au> on behalf of Heikki Vatiainen <hvn@open.com.au><br>
<b>Sent:</b> Wednesday, February 3, 2021 8:01 AM<br>
<b>To:</b> radiator@lists.open.com.au <radiator@lists.open.com.au><br>
<b>Subject:</b> Re: [RADIATOR] Androids unable to connect</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 2.2.2021 21.11, Ullfig, Roberto Alfredo wrote:<br>
> Is the problem related to this article?<br>
> <br>
> <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttptoolkit.tech%2Fblog%2Fandroid-11-trust-ca-certificates%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pTkd9D8PAETtW%2FLtMOqf2c3LmIdVAhp5ScvROpxdGG4%3D&reserved=0">
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttptoolkit.tech%2Fblog%2Fandroid-11-trust-ca-certificates%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pTkd9D8PAETtW%2FLtMOqf2c3LmIdVAhp5ScvROpxdGG4%3D&reserved=0</a>
<br>
<br>
Quite possible that this is the main cause. Looks like the the Wi-Fi <br>
connectivity issues specifically are described, for example, here:<br>
<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.xda-developers.com%2Fandroid-11-break-enterprise-wifi-connection%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FsH9V5pzFyBFDTvRGkcW0wX2%2FOuEFFbtg94xfr4PGCE%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.xda-developers.com%2Fandroid-11-break-enterprise-wifi-connection%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FsH9V5pzFyBFDTvRGkcW0wX2%2FOuEFFbtg94xfr4PGCE%3D&reserved=0</a><br>
<br>
The article has good screenshots comparing the current Wi-Fi (December <br>
2020) settings with older settings dialog. I have now checked these <br>
settings with a Pixel and I can confirm that it requires stricter <br>
settings than what were previously possible.<br>
<br>
First a couple of things about the article: it links to a number of <br>
useful resources where the topic is discussed more. One of them is <br>
SecureW2 that have worked with. They provide onboarding solutions for <br>
different types of organisations and scenarios. There are also other <br>
mobile device management (MDM) solutions for privisioning profiles with <br>
CA and other settings correctly.<br>
<br>
Since you are an education institution that uses eduroam, you may also <br>
want to check eduroam's configuration assitance tool <br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hn%2BuGw7rR%2FkYjFsjVwi%2B9kmOzhPq8P14zwAXI5RVR28%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcat.eduroam.org%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810372160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hn%2BuGw7rR%2FkYjFsjVwi%2B9kmOzhPq8P14zwAXI5RVR28%3D&reserved=0</a>
I think that in the US, <br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.anyroam.net%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cvbuOTF%2FNRoOIZgWDNxyOE9AK%2BmINEEmvBco%2B7BOj3s%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.anyroam.net%2F&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cvbuOTF%2FNRoOIZgWDNxyOE9AK%2BmINEEmvBco%2B7BOj3s%3D&reserved=0</a>
can also help with eduroam related topics. You <br>
are already likely familiar with these, but I'm mentioning them in any <br>
case as resources for other list members.<br>
<br>
While the tools and onboarding systems work with both private CAs and <br>
commercial CAs, the settings can also be defined manually. Here are my <br>
notes based on testing with a Pixel phone.<br>
<br>
First: when changing settings, turn Wi-Fi off/on. This seems to be <br>
needed for the changes to become active.<br>
<br>
The XDA article does not discuss what the 'Domain' settings does. Also, <br>
this settings has to be filled in or otherwise the settings can't be <br>
saved. The article links to Google's Android API, and based on the API, <br>
my expectations and results of testing, this is used to define the <br>
subject of certificate.<br>
<br>
For example: If I have 2 RADIUS servers that serve PEAP requests and the <br>
servers have separate certicates with names radiator1.example.org and <br>
radiator2.example.org, I could fill in 'Domain' as follows:<br>
- radiator1.example.org;radiator2.example.org<br>
- example.org<br>
<br>
The best option would be to use the same certificate <br>
(radiator.example.org) on both servers and configuring 'Domain' directly <br>
as 'radiator.example.org'.<br>
<br>
The value of 'CA certificate' would be 'Use system certificates' if the <br>
certificate chain from radiator{1,2}.example.org leads to a CA that <br>
comes with Android. There's also the possiblity to first import a <br>
private root CA certificate and choose it. In both case 'Domain' seems <br>
to be needed. Even if it's not for private CA, I'd still use it. I did <br>
not check private CA option (importing CA certificates manually) very much.<br>
<br>
To summarise: what Android now requires is defining what is the expected <br>
CA certificate and what is the expected name in the certificate the <br>
Radiator sends during the TLS handshake with TLS based EAP <br>
authentication (PEAP, EAP-TTLS, EAP-TLS, etc.).<br>
<br>
Because in most cases there is one or more intermediate CAs in the chain <br>
between root CA certificate and Radiator's certificate, these <br>
intermediate CAs need to be sent by Radiator (EATLS_CertificateChainFile <br>
parameter) or they can be set with the tool that's used for configuring <br>
end user devices (eduroam CAT, SecureW2, Apple Configuration, Microsoft <br>
tools, etc.).<br>
<br>
I hope the above clarifies things. I tried to keep it short but it's a <br>
bit hard when certificates are involved.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
<br>
<br>
> ---<br>
> Roberto Ullfig - rullfig@uic.edu<br>
> Systems Administrator<br>
> Enterprise Applications & Services | Technology Solutions<br>
> University of Illinois - Chicago<br>
> ------------------------------------------------------------------------<br>
> *From:* radiator <radiator-bounces@lists.open.com.au> on behalf of <br>
> Ullfig, Roberto Alfredo <rullfig@uic.edu><br>
> *Sent:* Tuesday, February 2, 2021 12:17 PM<br>
> *To:* radiator@lists.open.com.au <radiator@lists.open.com.au><br>
> *Subject:* Re: [RADIATOR] Androids unable to connect<br>
> Also seeing:<br>
> <br>
> Tue Feb 2 11:35:04 2021: ERR: EAP PEAP TLS Handshake unsuccessful: <br>
> 7075: 1 - error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert <br>
> unknown ca<br>
> <br>
> Does that mean the client doesn't know about our CA?<br>
> <br>
> ---<br>
> Roberto Ullfig - rullfig@uic.edu<br>
> Systems Administrator<br>
> Enterprise Applications & Services | Technology Solutions<br>
> University of Illinois - Chicago<br>
> ------------------------------------------------------------------------<br>
> *From:* radiator <radiator-bounces@lists.open.com.au> on behalf of <br>
> Ullfig, Roberto Alfredo <rullfig@uic.edu><br>
> *Sent:* Tuesday, February 2, 2021 11:29 AM<br>
> *To:* radiator@lists.open.com.au <radiator@lists.open.com.au><br>
> *Subject:* [RADIATOR] Androids unable to connect<br>
> Hello, since an Android update (probably in December), their devices <br>
> can't connect. In the logs I see:<br>
> <br>
> Tue Feb 2 10:48:00 2021: INFO: Using Net::SSLeay 1.55 with SSL/TLS <br>
> library version 0x1000105f (OpenSSL 1.0.1e-fips 11 Feb 2013)Tue Feb 2 <br>
> 10:48:00 2021: WARNING: Startup check found OpenSSL version 0x1000105f <br>
> (OpenSSL 1.0.1e-fips 11 Feb 2013) while checking for the Heartbleed <br>
> (CVE-2014-0160) vulnerability. This version may be vulnerable. See <br>
> Radiator reference manual for DisabledRuntimeChecks parameter<br>
> <br>
> Tue Feb 2 10:55:54 2021: INFO: Access rejected for xxx: EAP PEAP TLS <br>
> Handshake unsuccessful<br>
> Tue Feb 2 10:56:01 2021: ERR: EAP PEAP TLS Handshake unsuccessful: <br>
> 7075: 1 - error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert <br>
> internal error<br>
> <br>
> are we running an old TLS that Android no longer supports? Thanks!<br>
> <br>
> ---<br>
> Roberto Ullfig - rullfig@uic.edu<br>
> Systems Administrator<br>
> Enterprise Applications & Services | Technology Solutions<br>
> University of Illinois - Chicago<br>
> <br>
> _______________________________________________<br>
> radiator mailing list<br>
> radiator@lists.open.com.au<br>
> <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BPxmN3z26dKpuMgsvN3zj1zmRL4Gy68pNJNaemnKXeA%3D&reserved=0">
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BPxmN3z26dKpuMgsvN3zj1zmRL4Gy68pNJNaemnKXeA%3D&reserved=0</a><br>
> <br>
<br>
-- <br>
Heikki Vatiainen <hvn@open.com.au><br>
<br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>
_______________________________________________<br>
radiator mailing list<br>
radiator@lists.open.com.au<br>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BPxmN3z26dKpuMgsvN3zj1zmRL4Gy68pNJNaemnKXeA%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Crullfig%40uic.edu%7C02e1c389dcd2419b300708d8c84d5883%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637479581810377139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BPxmN3z26dKpuMgsvN3zj1zmRL4Gy68pNJNaemnKXeA%3D&reserved=0</a><br>
</div>
</span></font></div>
</body>
</html>