thanks Dustin. May I ask whether this was an interactive supplicant configuration (i.e. end user selects the SSID, gets the laundry list of questions and has to enter the realm (like mycompany.com.au ) ?) - or did you use an MDM?

I am curious about the end user experience - especially how much interaction is required from the user.  Back in the day, users would supply their username/password, select MSCHAPv2 inner method and that's it.

Sorry for the delay.

We stripped ours down that all the user has to do is enter a description to join BYOD. No certs or profiles to load to make it as easy as possible. The downside is we don't push our root cert this way to fix the issue like Howon mentioned. 

Hi @Dustin Anderson 

I don't get it ... how did you "strip down" the supplicant configuration? I was talking about a vanilla Android client who tries to connect to an Enterprise WPA2 SSID. The usual thing is that the OS pops up a dialogue and then the fun starts. At a minimum you need username and password. And now since Android 11 you need to specify the DNS domain of the authenticating server (RADIUS) if I understand correctly. And of course you need to have the Root CA used by the RADIUS server installed on the Android device.

Why do you capture a description? Sounds more like a hotspot portal on an Open SSID to me?

I did recommend that as an option to my customer (along with an MDM even) but the feeling is that users don't want any "stuff" installed on their devices - the expectation is to have them connect using user credentials - but all interactions are user based and no additional applications to be installed (i.e. use native supplicant to do the job)

If user can be instructed via other means such as email or web page, it is possible the customer could email or post the certificate chain to the users to install and trust prior to connecting to the network. The user still has to specify the domain name during the initial association though. So the step will be:

1. Get client to trust the root CA of the ISE EAP certificate for Wi-Fi access: This can be done by downloading the cert to Android and going to certificate import settings

2. Client connects to WLAN: Since PEAP-MSCHAPv2 is the default, user merely needs to select newly imported root CA instead of system CA, provide domain name of EAP certificate (Can be from either CN or SAN from my experience), provide username/password

I would say the steps are much simpler than installing MDM agent or going through BYOD and doesn't require any agent on the Android

ah I like that suggestion. So that would be a solution for customers who don't want to swap out their ISE EAP certificates with a public signed certificate? 

Regarding sending the CA chain by email, I don't have an Android device to test how successful this is - but if it works then it might be another option.

I was hoping to get 100% confirmation from the field, that if the customer had an ISE EAP Certificate signed by say, DigiCert, then the Android user should not have to mess around with any certificate at all during a manual EAP-PEAP connection attempt, since the DigiCert Root CA should be installed on their device - is my understanding correct? All they'd have to do is to provide creds and the domain text.

Yes, that is how it works with Android 11. User only needs to provide domain name and credentials if the certificate is signed by known CA.

So I don't think that SAN part is correct. Working with a client using a wildcard cert signed by a Public CA, but the wildcard is only in the SAN and not the CN (afaik not the correct way to do this, will be changed).

Cert:

CN=domain.com

SAN:

DNS:*.domain.com

DNS:domain.com

NPS server:

nps.domain.com

The Android 11 clients will not successfully connect with this certificate for PEAP-MSCHAPv2 when entering "domain.com" for the domain. It appears the EAP supplicant does not understand the SAN field.

@Tristan Cober would you mind rephrasing that ? - I am keen to know how you got the Android 11 device working in the end, and with which certificate configuration.

Windows supplicants historically didn't support an EAP cert where the Subject CN contained a wildcard. So most folks didn't put a wildcard in the Subject Common Name. BUT - wildcard in the SAN should be ok. Until now? Android 11 doesn't like it? 

I feel like wildcards are becoming a bit of a problem as security is increased.  Wildcards in the SAN broke my ISE Guest portals with Android devices too. I had to re-issue with the FQDNs in the SAN and then it worked.