I’m starting to believe that the EAP-TLS implementation that Samsung are using on android 11 is fundamentally broken.
Unless I’m missing something here but I’m really struggling to see what.
Currently working through a phone uplift/replace for ~10,000 users and these are the handsets we’re replacing everyone’s phones with, for the last few days however I’ve been tearing my hair out trying to get them to join our corporate wireless network.
Ive read the various posts about no longer being able to ignore an untrusted CA (rightly so IMO) but the problem I’m facing very much isn’t that.
I eventually need to be able to hand over the required settings to our server guys so they can provision it in intune however for now I’m testing with a vanilla unenrolled phone.
Our wireless deployment is all Meraki and we’ve been using EAP-TLS with Microsoft NPS RADIUS servers for our laptops with no issues for a number of years now.
So in summary this is the process I’m attempting to get the phone to join
1) Place the root ca certificate and a PFX of my user certificate on the as card within the phone
2) From the WiFi settings screen selecting the advanced options and going to “Install network Certificates” from here I’m installing our root ca and a pfx of my user cert
3) Defining a wireless profile with the below
EAP Method: TLS Identity: CN from user certificate CA Certificate: selecting the previously installed root Online certificate status: Don’t Validate (have tried all options available here though) Domain: <ssid.com> (This is a SAN on the radius servers certificate) User certificate: <my imported user pfx>
Now this is where it starts to get frustrating, attempting to connect to the ssid results in a message on the phone saying “Incorrect Password”
The logs on the NPS server show “Network Policy Server Granted access to a user”
The event logs within the meraki portal show firstly a “EAP Success” followed immediately by a disassociation event with “unknown reason” in the details tab.
If I run a capture on the AP filtered for this handset and look at it within wireshark the disassociation reason is
“Reason code: Information element in 4-way Handshake different from (Re)Association Request/Probe Response/Beacon frame (0x0011)”
Laptops using the Cisco NAM supplicant have no issues joining this ssid and best I can tell I’ve configured this handset as required with the root certificate import etc.
I have also tried a publicly issued cert for the RADIUS server as well as I saw mention of that but same result.
Ha anyone got android 11 playing nicely with EAP-TLS or any ideas for further debugging/troubleshooting?
No comments:
Post a Comment