[ale] FreeRADIUS and trusted CA on Android 11 on Pixel

Sat Mar 13 08:29:56 EST 2021

Just closing the loop on this as I finally got it resolved. In the end
switching the certificate was literally as easy as copying it to a folder
and changing the references. The showstopper ended up being the GoDaddy
private key, which they had encoded with UTF-8 BOM. The moment I figured
that out (thanks to a forum posting somewhere) and changed it to UTF-8,
everything just worked, after almost two full days of pain.

So now our BYOD Pixels running Android 11 can access using WPA-PEAP again,
with a publicly signed certificate in place. Other phones do not seem to
have this issue yet but I'm pretty sure it's coming.

Now I have a philosophical question though. Can someone explain to me why
Google forcing me to use a third party certificate is more secure (since
that is their argument) than using my own internal CA? My gut says this is
bullshit. How can ANY third party system be more trustworthy to me than my
own private certificate system? IMHO I should be able to place my internal
CA as a trusted root authority on Android (which I cannot do without
rooting the device, which is not possible in this case since these are the
privately-owned devices of end-users) and then use my own certificates in a
self-contained, 100% trusted ecosystem that relies on no outside third
party.

I'll be happy to have someone explain how I am missing the point here.

ed

On Fri, Mar 12, 2021 at 11:10 AM Edward O. Holcroft <eholcroft at mkainc.com>
wrote:

> I am running into an issue with Google enforcing the use of a publicly
> signed certificate for 802.11 auth. I have searched high and low but cannot
> find anything to help me with the nuts and bolts of making this work. I
> have a fully functioning Freeradius server on CentOS providing
> MSCHAP-PEAP auth for our BYOD phones. It works fine, except for the new
> Pixels with the December Pixel update, and I expect more to follow, so
> trying to get it working before all my users start complaining.
>
> The problem is described here:
> https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/
>
> I have purchased a publicly signed cert from godaddy for this purpose but
> cannot figure out how to implement it. It's made all the more confusing to
> me when the Freeradius documentation itself suggests:
>
>  #  Note that you should NOT use a globally known CA here!
> #  e.g. using a Verisign cert as a "known CA" means that
> #  ANYONE who has a certificate signed by them can
> #  authenticate via EAP-TLS!  This is likely not what you want.
>
> and also:
>
> #  In general, you should use self-signed
> #  certificates for 802.1x (EAP) authentication.
>
> Can anyone shed some light on how to proceed. It seems I have no choice
> but to use a publicly signed certificate to Android 11 on the Pixel to work
> with Freeradius. But I'm at a loss as to how to switch from the current
> private cert to the Godaddy one.
>
> I've tried dumping the godaddy certificate on the server and changing the
> references in the eap conf file, but clearly it's not that simple.
>
> I have read these, but am too dumb to use them to move forward in
> Freeradius:
>
> https://www.reddit.com/r/homelab/comments/l4fdzp/android_11_wifi_eaptls_trusted_ca_not_working/
>
> https://old.reddit.com/r/networking/comments/lbdafp/8021x_ise_android_11_problem/
>
> https://android.stackexchange.com/questions/233405/android-11-does-not-trust-a-theoretically-properly-imported-private-ca-for-wifi
>
> https://www.reddit.com/r/homelab/comments/l4fdzp/android_11_wifi_eaptls_trusted_ca_not_working/
>
> cheers
> ed
>
>

-- 
MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This 
message may be confidential and/or privileged. If you are not the intended 
recipient, please notify the sender immediately then delete it - you should 
not copy or use it for any purpose or disclose its content to any other 
person. Internet communications are not secure. You should scan this 
message and any attachments for viruses. Any unauthorized use or 
interception of this e-mail is illegal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210313/35323a79/attachment.html>