Google Android 11 - Security Enhancement (Pixel 4)
If you are receiving complaints from users with Android 11 devices (like Google Pixel 4) that they cannot connect to your WPA/WPA2/WPA3/Enterprise SSID, this article is for you.
Users connecting to these types of SSIDs, where the Domain CA Certificate is Self-Signed are no longer able to simply accept the risk and trust this Certificate. Well, at least not easily.
Below is a resource that was helpful to understand the change Google has made in the Android 11 code. It is a really good reference to what/where/why Google has implemented this change.
Using a Radius Server to authenticate a users (BYOD) against a registered domain user account has always presented the end-user with a Certificate Trust issue whereby the end-user had to accept the Self-Signed Certificate before they could access the internal network resources or the internet.
Google has now removed the “Do Not Validate” option from the CA Certificate section of the SSID configuration. In the past most users have selected this option to trust the certificate and just moved on.
Although, the recommendation has always been for network Administrators to purchase a Certificate for their Domain CA from a Trusted Root Authority like GoDaddy!, Verisign, SSL.com etc., it has not always happened.
If the Android 11 device was previously connected to the network and had already accepted this Certificate, then the device should still function the same without user intervention. However, if the device has been factory defaulted, then getting this device back onto the network is a little more difficult, but it can be done. Also, and new device being introduced to the network will also have to go through the same process as described below.
As IT Administrators the solution may be simple, buy a Signed Certificate from a Trusted Root Authority, create a new SSID and migrate the users to the new SSID, and then remove the old SSID once that has been completed.
Or, if this option is not possible, then the procedure below may just work.
While there is mention of using a API to ease this configuration burden on the user, I have not yet investigated this option.
My solution was as follows:
Google Pixel 4a – Android 11 (new out of the box)
-
Connect the phone to an Open SSID and complete the setup.
-
Settings → Security Update
NOTE: Install the latest Security patch (Feb 5, 2021) → I found that trying to connect to the WPA2 SSID right away with a new phone out of the box did not work and required the updates to be completed before I could complete the connection.
-
On a local web server, shared directory, email etc., download the Self-Signed CA Certificate to the phone. I did this using Google Drive and via Google Mail, but there may be other ways to distribute the Certificate.
-
Once you have the certificate on the phone, open Settings → Security → Encryption & Credentials → Install a Certificate → Wi-Fi Certificate.
-
This will open the phone directory select Pixel 4 → Download, you should see the Certificate listed here.
-
Select it and give it a name.
-
Once that is complete, go to Settings → Network & Internet → Wi-Fi.
-
Select the SSID.
-
Fill in the required fields
- CA certificate (select the Certificate you just uploaded)
- Domain
- Identity
- Password
-
Save at the bottom.
Now connect to the SSID.