Univention Bugzilla – Bug 52860
Radius connection fails with last Android 11 update
Last modified: 2021-03-03 15:52:02 CET
Since the last Android 11 update (December 2020) it is not possible to connect to the Radius-Server provided by UCS@School. This update blocks the skipping of legacy certificate technologies like PEAP, which is still used as default in our freeradius configuration. Suggestion: provide a way to provide valid freeradius certificates to the clients
I think this is a regular Bug, not a security issue - although the bug originates from changed security handling in Android. I also reset the internal bug flags, see e.g. here for criteria when to set them. https://hutten.knut.univention.de/mediawiki/index.php/Priorisierung_in_der_Entwicklung#Waiting_Support
By default the radius server uses the computer certificate. Which means android needs the ucsCA root certificate. That certificate can be downloaded from the hamburger menu on the portal page. Other certificates can be configured with the ucr keys "freeradius/conf/certificate/file" and "freeradius/conf/private/key/file" You might want to consider using a certificate signed by a public ca. That way you don't have to install a new cert on the supplicant (wifi client), you only have to configure for which dns name that cert was issued. Please note the following draw backs: - If the dns name is not configured on the supplicant (at least android 10 forces you to configure one) it would accept any cert signed by a public ca. Making this as secure as not configuring a cert at all. - The public ca might not allow the use of the certificate with eap and revoke it (See also extended key usage id-kp-eapOverLAN). We do need to document this.