Changes to eduroam settings with Android 11

Android 11 is now hitting end-user devices and will make changes to how enterprise WiFi networks, including eduroam, will need to be configured on these devices. For our members, this could mean changing the instructions that their users receive for configuring devices to connect to eduroam. 

User devices connecting to eduroam need to have a connection profile. Besides the login credentials,  the profile also includes settings for how the device communicates with the eduroam infrastructure. These settings include how to verify the identity of the authentication server.

In the interests of user security, Android 11 no longer allows users to select Do not validate in the WiFi connection settings. To connect to a network asking for a username and password (an "Enterprise" network), the connection profile needs to specify how the server will authenticate.  It must specify the domain name that will be in the certificate presented by the server, and the certification authority issuing the certificate.

This is simple to configure for sites where the server authenticating eduroam users has the certificate issued by a public certification authority - on Android devices, select Use system certificates and enter the name as instructed by the operators of the local eduroam infrastructure.

This process can be more involved for sites that use a custom certificate. If you are having issues with configuring your end-user devices to validate your eduroam server certificate and require any assistance while making the change, please contact us at help@reannz.co.nz

Note that getting the configuration to all user devices can be simplified by using the Configuration Assistant Tool (CAT), a service run by GÉANT that allows each eduroam member institution to create downloadable connection profiles, getting all the settings "right" in one go. Please contact us if you would like to start using CAT for your institution.

When connecting to a WiFi network, security is critical. A malicious party could set up a fake WiFi access point that pretends to serve the eduroam network, and potentially collect credentials of users attempting to connect. This change protects against this type of attack. While the change only impacts devices with Android 11 currently, it will apply to more devices over time. It could also be quickly adopted across many devices when other manufacturers make the same change.

If you have any questions or would like to know more about how we can help to support your organisations use of eduroam please get in touch at help@reannz.co.nz.
 

Additional information

CANARIE Canada NREN
Jisc UK NREN

Find anything about our products, services, and more. Enter a query in the search input above.