Android 11 wifi security problem - prevents joining Wifi (PEAP)

Started by Dieselboy, April 15, 2021, 03:06:42 AM

Previous topic - Next topic

Dieselboy

Environment:

Cisco WLC / Cisco WAP 1850's
Microsoft Active Directory (for authentication)
(I am using PEAP with MSChapv2)

Android 11** (confirmed with Pixel 5 and Pixel 4a running all latest software updates)

Scenario:

Users log in to the wifi using their domain credentials (user ID and domain password)

Experience:
After my domain password expired, I found that I could no longer login to the wifi. This occurred around 6 months ago to me. I thought it was a phone issue and decided to ignore it and use 4G only.

A new user joined our org with a Pixel 4a who has a legitimate requirement to use wifi from the Pixel 4a device. He reported he cannot log in to the wifi and I walked him through the (confirmed previously working) setup. We found he has the same issue as I.

Solution:

For some reason (bug?) the Pixel is now trying to validate certificates even though the cert option "DO NOT VALIDATE" is selected. With the wifi cert being published from an internal-CA, this is not possible to validate without installing the CA cert.

Prerequisite = ensure the saved and broken wifi network is first "forgot" so as to remove any previous config for the wifi which is not connecting

1 Request the public CA cert from the company wifi IT dept. and save it to the Pixel device. (I used webex teams to save it to a space and then access it from the phone and save it locally to the phone)
2. On the Pixel go to Settings > Security > Advanced > Encryption and Credentials > Install a certificate > Wi-Fi certificate, and select the cert downloaded in step 1 and give it a name that you will recognise.
3. Now go back to the wifi connection screen and select the wifi network to connect to.
4. A settings window will open. Ensure to select "CA certificate" and choose the name of the cert that was installed in step 2.
5. I also chose "online certificate status = do not validate"
6. all my other config is left as per the working setup done previously (eap method in my case is PEAP, phase 2 auth is MSCHAPV2, domain is my corp short domain eg "domain", identidy is short user ID eg "userid" and password)

7. click connect/save and you should be connected once again.

Note:

If you mess up inputting the settings when connecting the wifi, then you may need to install the cert again. We found the cert gets deleted, maybe when the network is "forgot" but havent tested. We found that the "CA certificate" field was grey and the drop down was inactive, probably because the cert was automatically deleted in the background. To fix this, we installed the cert a 2nd time and chose a new name. We found that only the new name was available in the drop down, suggesting that the previously installed cert was no longer there.

Summary:
So ya... glad to have wifi working again but it's a bit of a dodgy issue.

deanwebb

Look for more requirements to validate certs and ignoring of settings to bypass those checks.

Also look for more actual certs to replace self-signed monstrosities.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.