Forum Discussion

lgstalder's avatar
lgstalder
Level 2.0: Eclair
2 years ago

Recent Android change regarding Wifi configuration

Hi everyone,   I just want to share the current situation we are leaving in my company and that could be interesting for other Android customers as well.   With the Android security update releas...
MDauffenbach's avatar
MDauffenbach
Level 2.0: Eclair
2 years ago

I am having the same issue, the issue for us also seems to run deeper. While I am able to fix the initial install of the Wi-Fi profile by adding the domain the certificates packaged with the profile are no longer installing correctly. As far as I can tell Android is not trusting the CA our Root comes from. In this state authentication to the EAP-TLS network fails and I am able to manually go around it on a device my manually telling the SSID config to not validate the CA cert...which of course defeats the purpose of a CA cert.

Hoping there is a fix for this soon.

lgstalder's avatar
lgstalder
Level 2.0: Eclair
2 years ago

On which version of Android are you facing this ?

 


We faced the same symptoms some months ago. If the Wifi payload was configured to trust a root certificate and if this root certificate was the same as the one that is in the certificate chain of the client certificate, this triggered the issue. We needed to remove the trust of the root certificate in the payload to have the connection working again. According to some investigation, it seems that the system was by default trusting the certificate chain of the client certificate and forcing to trust again the same root was causing the issue. Have you tried to remove the trust with the root CA in your WiFi profile ?

 

Luc

  • MDauffenbach's avatar
    MDauffenbach
    Level 2.0: Eclair
    2 years ago

    We are using VMware Workspace One and I am not sure I see a way to do that in the Android Profile.

    You load your Certs under Credentials and then under WiFi you specify which is used for identity and which for Root. I have tried not specifying the Root but it made no difference.

    • lgstalder's avatar
      lgstalder
      Level 2.0: Eclair
      2 years ago

      It’s also WS1 that we are using on our side. 

      It was actually for Android 12 devices that we faced the issue. In the Wifi payload for Android 12 we don’t have any root certificate that was imported in the configuration. We have only the client certificate. 

      For Android 13 we have another wifi payload that is including both the client and the root certificates and as “Identity Certificate” we have selected the client certificate and as “Root certificate” we have selected the root certificate that was imported in the payload. 

      Luc

      • MDauffenbach's avatar
        MDauffenbach
        Level 2.0: Eclair
        2 years ago

        Are you also using WS1? Our Config pulls the identity cert directly from the CA so I don't think I have anyway to bundle the root in with that without our cryptography team modifying the cert template.

         

        My testing as of now is on Android 13 both on a Pixel and a Samsung Fold.