Skip to main content
Cisco Meraki Documentation

Meraki MR and Android 11 Security Update

Android 11 Security and WPA2-Enterprise PEAP

The new release of android creates challenges for enterprise security networks running WPA2 Enterprise PEAP authentication (username/password) because the option to bypass the security certificate has been removed.

Clients that do not have the certificate installed and validated will not be able to comply with PEAP authentication and their connection will fail.

Unfortunately, Cisco Meraki cannot ease this step because this relies on the client and RADIUS itself. As such, if the network administrator is not capable of issuing the right certificate to each client (this can be challenging), it is recommended to not update clients to Android 11 . 

For Meraki authentication, because the certificate cannot be provided due to security reasons, the authentication will break. 

WPA2 Personal (PSK) authentication, or other authentication types (other than WPA2-Enterprise PEAP) will not be impacted by this change, and this authentication method can be used with no issues. 

Options for Complying with Android 11 Security Requirements

  1. Use Meraki’s BYOD Solution - Trusted Access

Meraki Trusted Access provides a secure way to do EAP-TLS (client and server side certificates) for authenticated devices without having to setup a certificate authority (CA) or RADIUS server. All of this is possible without enrolling an MDM profile on the device.

 

  1. Meraki Splash Page - with Active Directory (AD) Sign-on

Splash Page with AD Sign-on allows for an open or PSK wireless SSID which prompts the user to validate their AD credentials through an encrypted TLS session with the Meraki dashboard. The AP then validates the AD credentials with the configured AD server to authenticate the user. This authentication has no encryption.

 

  1. PEAP 802.1x - private certificate

Using a self-signed certificate for RADIUS means Android 11 devices would need the appropriate root CA certificate to validate the certificate used by RADIUS. To install your root CA certificate on devices, you could manually create instructions to install the root CA or push the root CA to company-owned devices using an MDM such as Systems Manager. 

 

  1. PEAP 802.1x - public certificate

To leverage the existing public root CA install on Android, customers have the option to purchase a certificate signing from a public provider. This certificate can then be used for RADIUS authentication without changes on Android 11 devices.

  • Was this article helpful?