CAF – eduroam Android users will no longer connect, requires a CAT profile change

Issue

The December Android 11 QPR1 security update changes how certificates are handled for Wi-Fi security. This means Android eduroam users will lose the ability to connect to eduroam unless they use the eduroam CAT profile.

Solution

Create and launch your eduroam CAT profile. Available for download from the cat.eduroam.org portal.

Support

Contact [email protected]

Additional Context

Why is this important?

In December 2020, the planned Android 11 QPR1 security update will disable users’ ability to select “Do not validate” for the “CA Certificate” in the network settings of Android devices, and make them unable to connect to eduroam.

Android devices configured with “Do not validate” for CA Certificate workaround will not be able to connect to eduroam.

Organizations need to address this issue now as updates gradually roll out to Android devices throughout December.

What is Server Certificate Validation?

Server certificate validation is a security feature of WPA2-Enterprise that makes devices check the identity of a server before they attempt to authenticate to a network. Devices verify the identity of the server by checking the CA (Certificate Authority) of the RADIUS server and validate that the CA belongs to the appropriate domain.

Devices typically have a “root store”; a preinstalled list of trusted CAs. For the server certificate validation to function, the device and the RADIUS server need to both trust the same CA that issued the server validation certificate.

Why Does Android 11 Require Server Certificate Validation?

This update removes the “Do not validate” certificate option, to prevent users from accidentally misconfiguring their network settings that could leave them particularly vulnerable to over-the-air credential theft.

Actions you need to take (1 hour of effort):

  1. Create your eduroam CAT profile with proper certificates for your eduroam RADIUS servers.
  2. When configuring your eduroam CAT profile, ensure that you apply your site-specific anonymous outer ID that was provided to your primary technical contact by our Operations team. If you don’t have this, or require further information please contact [email protected].
  3. Launch the eduroam CAT profile into production.
  4. Alert users to download and install the profile (or re-install) from the cat.eduroam.org website.

Taking these steps will ensure that your Android users can continue to connect to eduroam without interruption.

Other Considerations:

  • If you have instructions for end users that tell them to select “Do Not Validate”, you should immediately force password changes, update your documentation, and start working on a migration plan towards the eduroam CAT profile.When the users apply your eduroam CAT profile, any updates to certificates or settings are applied to all devices using that profile.
  • You will no longer be able to use self-signed certificates.  Users will need to install the eduroam CAT profile, otherwise there is no way to add the certificate into the Android certificate trust of the mobile device.