Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Server Certificate Validation with Android 12 Devices

Cyber-attacks have grown stronger over the years and are able to easily bypass the rudimentary security standards provided by the username/password mechanism. If an organization relies on passwords for network authentication, attacks can infiltrate the network with little to no effort.

A key strategy to defending your network is allowing the client to verify the authenticating (RADIUS) server before establishing the connection. This can be done by enrolling both the server and the client with digital x.509 certificates. Passwords aren’t a great identifier because they can be shared or stolen, but certificates are much harder to crack and the right software can provide server certificate validation.

Using a Public Key Infrastructure solution like JoinNow Connector will simplify the server certificate validation setup. Plus, our easy-to-use UI will allow you to handle the mandate for Android 12 devices. Read what one of our customers said when they implemented SecureW2 for their Android devices.

What is Server Certificate Validation?

Server Certificate Validation allows the device to verify the authenticating RADIUS server is network approved.

Server certificate validation is a security feature of WPA2-Enterprise that makes devices check the identity of a server before they attempt to authenticate to a network. Devices are able to verify the server by checking the CA (Certificate Authority) that signs the RADIUS server and confirming that it is trusted.

Devices come with a root store, a list of trusted CAs. Server certificate validation can be established if both the device and the RADIUS server trust the same CA that issued the server certificate. However, only specific server certificates will establish server certificate validation for Android 12 devices.

Android 12 Server Certificate Validation Mandate

Android 12 requires only the Root CA for Server Certificate Validation. If the Intermediate CA is included in the profile and trusted for Server Certificate Validation, the authentication will fail. When configuring Android 12 devices with a certificate, admins must ensure the Root CA is included and trusted for Server Certificate Validation.

Here you can specify which CA will be used for Server Certificate Validation. Uncheck the intermediate CA certificate, check the Root CA certificate, and update. Now you can remove the Intermediate CA from the Certificate section from before.

How Can I Fix it in SecureW2?

In the SecureW2 Management Portal, you can choose to enable Server Certificate Validation and which CA certificate will be used.

  1. Navigate to Network Profiles under Device Onboarding tab.
  2. Find your SSID and click Edit.
  3. Under the Basic tab, look for the Certificates section.
    • This shows all the certificates you have downloaded.
    • You have the option to download SecureW2’s Private CA or choose from a list of Public CAs.
    • You can also upload your own certificate.

This is where you can remove the Intermediate CA certificate, but first, you will have to disable the certificate from Server Certificate Validation.

  1. Below Certificates, you will see the Network Settings section with your SSID listed. Click Edit.
  2. At the bottom will be Server Certificate.
    • Check the Enable Server Certificate Validation box.

Here you can specify which CA will be used for Server Certificate Validation. Uncheck the intermediate CA certificate, check the Root CA certificate, and update. Now you can remove the Intermediate CA from the Certificate section from before.

Why Android Requires Server Certificate Validation

There are many examples of publicly accessible documentation from universities and enterprises that instruct end-users to select the “Do not validate” option during configuration. That can be seen by attackers as an invitation to set up a fake access point with a spoofed SSID to harvest valid user credentials.

Even if organizations weren’t actively advertising their network vulnerabilities, the change would still be necessary. Most organizations with WPA2-Enterprise networks are still using outdated EAP methods (such as PEAP and EAP-TTLS) that rely on credentials for authentication. It’s likely many organizations stick to credential-based authentication because they believe digital certificates and EAP-TLS authentication are too difficult to deploy.

That’s simply not the case anymore. Managed PKI providers like SecureW2 have turnkey solutions that provide everything an organization needs for certificate-based authentication. We can integrate with and utilize your existing infrastructure for efficient and speedy deployment of certificate authentication.

How to Implement Server Certificate Validation on Android

Google is moving towards public-key cryptography because it offers more secure network authentication. Organizations operating their own WPA2-Enterprise networks will need to provide great documentation for their end-users and employ more people at the IT helpdesk to help when users inevitably misconfigure their devices.

You can also use a device onboarding solution so end users can self-configure server certificate validation. The right onboarding solution will allow you to fully upgrade your network to EAP-TLS certificate-based authentication and take advantage of the greatly enhanced security and user experience it provides.

EAP-TLS Certificate Authentication

The persistent myth regarding the hassle of digital certificates is outdated. It’s true that it used to be difficult and expensive to implement on-premise, but cloud PKI has adequately addressed those issues. PKIs are cheaper to build now than they were a decade ago and cloud-based options are cheaper still.

The security provided by certificates is exponentially stronger than credentials – that has never been a question. The principles of public-private cryptography that underpin x.509 digital certificates render a network almost immune to both over-the-air and phishing attacks.

And, in this instance at least, the increased security and reduced price tag don’t have to come at the cost of user experience. Certificate authentication is far more user-friendly than credential authentication because it’s automatic and requires little user interaction. Certificates are enrolled on a device and automatically presented during the TLS handshake. Admins no longer need to worry about password-reset policies or get bogged down by password-related support tickets. Our customers have seen up to a 50% reduction in IT support tickets after switching.

Enrolling Android 12 Devices for Server Certificate Validation

Integrating a full PKI solution is better than buying expensive licenses from a public CA because you can enroll Android devices for server certificate validation. Managed devices are easy to configure and enroll, but most Android devices on a network are BYOD, which means the end-user has to be involved.

Luckily, our BYOD onboarding solution allows you to push a customizable configuration client with a foolproof self-enrollment wizard that guides the end-user through the Android configuration process. Our Advanced BYOD Onboarding Service is incredibly easy to set up, as most of the heavy lifting is done by our engineers. Below are the general steps on setting it up.

  1. Set up an open SSID on your wireless AP/controller
  2. Configure redirect to the SecureW2 Advanced Onboarding Service landing page
  3. Connect your WLC with the Cloud RADIUS server
  4. Upload Cloud RADIUS IP address, port number, and shared secret

Organizations must specify a redirect URL for their captive portal and point it to a RADIUS server. Setting up and configuring a RADIUS server is an area where the Advanced Onboarding configuration can be more complex. However, SecureW2 products come with a Cloud RADIUS server already set up, simplifying the process.

Easily Enable Server Certificate Validation with Android 12

SecureW2’s JoinNow Connector and Cloud RADIUS make it easy for you to set up server certificate validation for all Android devices, no need to spend a ridiculous amount of money for public CA licenses.

Enabling server certificate validation for Android devices is essential in preventing future cyber-attacks because the devices will always connect to the right authentication server. Android devices will no longer be a weak point in your network security. Check out one of our affordable pricing options to streamline the configuration process.

Key Takeaways:
  • Only Root CA certificates are valid for Server Certificate Validation in Android 12 devices.
  • SecureW2's Cloud RADIUS and JoinNow Connector PKI are all you need to enroll Android devices and workstations with certificates.
Learn about this author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.

Server Certificate Validation with Android 12 Devices