[ale] FreeRADIUS and trusted CA on Android 11 on Pixel

Fri Mar 12 11:10:13 EST 2021

I am running into an issue with Google enforcing the use of a publicly
signed certificate for 802.11 auth. I have searched high and low but cannot
find anything to help me with the nuts and bolts of making this work. I
have a fully functioning Freeradius server on CentOS providing
MSCHAP-PEAP auth for our BYOD phones. It works fine, except for the new
Pixels with the December Pixel update, and I expect more to follow, so
trying to get it working before all my users start complaining.

The problem is described here:
https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/

I have purchased a publicly signed cert from godaddy for this purpose but
cannot figure out how to implement it. It's made all the more confusing to
me when the Freeradius documentation itself suggests:

 #  Note that you should NOT use a globally known CA here!
#  e.g. using a Verisign cert as a "known CA" means that
#  ANYONE who has a certificate signed by them can
#  authenticate via EAP-TLS!  This is likely not what you want.

and also:

#  In general, you should use self-signed
#  certificates for 802.1x (EAP) authentication.

Can anyone shed some light on how to proceed. It seems I have no choice but
to use a publicly signed certificate to Android 11 on the Pixel to work
with Freeradius. But I'm at a loss as to how to switch from the current
private cert to the Godaddy one.

I've tried dumping the godaddy certificate on the server and changing the
references in the eap conf file, but clearly it's not that simple.

I have read these, but am too dumb to use them to move forward in
Freeradius:
https://www.reddit.com/r/homelab/comments/l4fdzp/android_11_wifi_eaptls_trusted_ca_not_working/
https://old.reddit.com/r/networking/comments/lbdafp/8021x_ise_android_11_problem/
https://android.stackexchange.com/questions/233405/android-11-does-not-trust-a-theoretically-properly-imported-private-ca-for-wifi
https://www.reddit.com/r/homelab/comments/l4fdzp/android_11_wifi_eaptls_trusted_ca_not_working/

cheers
ed

-- 
MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This 
message may be confidential and/or privileged. If you are not the intended 
recipient, please notify the sender immediately then delete it - you should 
not copy or use it for any purpose or disclose its content to any other 
person. Internet communications are not secure. You should scan this 
message and any attachments for viruses. Any unauthorized use or 
interception of this e-mail is illegal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210312/ba821fad/attachment.html>