Android 11 WPA2-Enterprise changes and Meraki/Microsoft NPS?

SOLVED
LRSFC_DanJ
Conversationalist

Android 11 WPA2-Enterprise changes and Meraki/Microsoft NPS?

We've been caught out by a recent change in Android 11 which means Android phones can no longer connect to our WPA2-Enterprise SSID using the user's AD username and password. We use Microsoft NPS as our RADIUS server and this is an internal server on an internal domain having a certificate supplied by our internal AD Certificate Services PKI infrastructure.

 

We understand that the change that has been made is such that Android can no longer use the "Do not validate" setting, but we find that even if we install our AD CS CA certificate on an affected Android 11 device, it is still unable to connect.

 

It has been suggested that we can resolve the issue by obtaining an externally trusted certificate for our NPS server, but this would not appear to be possible as it does not have an external IP address and is not located on an externally valid domain / does not have an externally valid FQDN.

 

I realise this is not strictly a Meraki issue but I did see that other users in this forum had posted threads in relation to NPS, if anyone could point me in the right direction that would be really helpful.

 

Thanks,

Dan Jackson (Senior ITServices Technician)

Long Road Sixth Form College

Cambridge, UK.

1 ACCEPTED SOLUTION
LRSFC_DanJ
Conversationalist

We were able to resolve this by obtaining an externally valid certificate on our longroad.ac.uk domain to use with the NPS server. We needed to create an external DNS record in order for the certificate request to succeed, but this did not have to point to the actual server.

View solution in original post

3 REPLIES 3
GIdenJoe
Kind of a big deal
Kind of a big deal

When the users installed the CA certificate of your domain, did they actually install the cert or just copied it to their store?

If it is correctly installed do they actually select the correct ca cert for server validation in the WiFi profile?

We're the only users that have tried that so far, nobody else has any access to the internal CA cert as it wasn't needed previously. I have a Google Pixel 3a but it doesn't appear to allow me to select a specific CA cert to validate against.

LRSFC_DanJ
Conversationalist

We were able to resolve this by obtaining an externally valid certificate on our longroad.ac.uk domain to use with the NPS server. We needed to create an external DNS record in order for the certificate request to succeed, but this did not have to point to the actual server.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels