WPA2-Enterprise PEAP Android 11 Security Issues
The release of Android 11 creates challenges for enterprise security networks running WPA2-Enterprise PEAP authentication (username/password) because the option to bypass the security certificate has been removed.
Clients that do not have the certificate installed and validated will not be able to comply with PEAP authentication and their connection attempt will fail.
Unfortunately, Cisco Meraki cannot ease this step because this relies on the client and RADIUS itself. Unless the network administrator is capable of issuing the correct certificate to each client, it is not recommended to not update clients to Android 11.
SSIDs using WPA2 Personal (PSK) authentication and other type of EAP authentication will have no impact with Android 11 and can continue to be used as normal.
Options for Complying with Android 11 Security Requirements
Use Meraki’s BYOD Solution - Trusted Access
Trusted Access provides a secure way to do EAP-TLS (client and server side certificates) for authenticated devices without having to set up a certificate authority (CA) or RADIUS server. All of this is possible without enrolling an MDM profile on the device.
Meraki Splash Page - with AD Sign-on
Splash Page with Active Directory Sign-on allows for an open or PSK wireless SSID which prompts the user to validate their AD credentials through an encrypted TLS session with the Meraki dashboard. The AP then validates the AD credentials with the configured AD server to authenticate the user.
Note however, that this authentication method has no encryption.
PEAP 802.1x - private certificate
Using a self-signed certificate for RADIUS means Android 11 devices would need the appropriate root CA certificate to validate the certificate used by RADIUS. To install your root CA certificate on devices, you could manually create instructions to install the root CA or push the root CA to company-owned devices using an MDM.
PEAP 802.1x - public certificate
To leverage the existing public root CA install on Android, customers have the option to purchase a certificate signing from a public provider. This certificate can then be used for RADIUS authentication without changes on Android 11 devices.