Android PSA: Beware When Moving to Android 11 and Using WiFi Leveraging EAP-TLS

[Mobile Jon]

I wanted to post something here because in some verticals like retail, some people are just moving to Android 11 now (I know of a very large retailer where this is the case).

Starting in Android 11, Google is starting to validate the RADIUS certificate chain for devices using EAP-TLS (Cert-Based Auth for WiFi). One of the more common things over the years going back to the SEG days is people do not know how to build certificates correctly. Often, we just get the certificate from the security team and move on, but you end up having to rip apart the PFX to build the chain correctly.

I'll throw this here just for others:

Re-create the PFX:

##Extract the Key##

openssl pkcs12 -in test.pfx -nocerts -out test.key

##Extract the CER##

openssl pkcs12 -in test.pfx -clcerts -nokeys -out test.cer

##Decrypt the Private Key##

openssl rsa -in test.key -out test-decrypted.key

After you do that, you open up the test.cer in Notepad++ preferably and paste in the text of your intermediate certs followed by your root certificates and save it. Once that is done, you re-create your PFX:

##Create a PFX##
openssl pkcs12 -export -out test.pfx -inkey test-decrypted.key -in test.cer -certfile cert-chain.pem

For the Android issue, you don't need to re-create the PFX. You just need to upload that test.cer. 

In additional leverage the KB article for reference below to push down the SDK settings to your Android Intelligent Hub to ensure WiFi supports a full client certificate chain.

KB Article for reference: AAGNT-195041 - Certificates incorrectly installed for WPA2 Enterprise WiFi for Android 11+ (89264) (omnissa.com)

 

[Julien GOINDIN]

Glad to see you onboard @Mobile Jon!