Android 11 Workaround for Web Browser Trust certs - Cloudpath

Summary

Android 11 mobile devices having issues enrolling onto a secure Network

Question

Is there an issue with android phones running on version 11 in downloading the CA certificates from cloudpath?

Customer Environment

Cloudpath version 5.7.4774 SZ100 Pixel 3a Oneplus 8T 5G

Root Cause

In Android 11, the certificate installer now checks who asked to install the certificate. If it was launched by anybody other than the system's settings application, the certificate install is refused with an obscure alert message: "Can't install CA certificates"

Symptoms

1. On android v11 mobile devices, when you run the cloudpath application after authorizing yourself, the cloudpath app throws an error message that "Certificate is not installed"
Cert not installed error
Even the cloudpath support file confirms that the CA cert could not be installed as shown below:

[!!! ERROR !!!] Unable to install a root CA certificate for web browser use!
Setting 61310 (Root CA 'guhsdaz-CS01-CA' needs to be installed.) was *NOT* fixed. (Result = 4103)
Setting 61310 doesn't appear to have been fixed. Will return to the UI.


2. When we go through the manual installation of certs, we are asked to go to settings-->Security-->Encryption $ Credentials-->Install from storage. The certificates do get installed, however when we try to create the network manually with the details given on the "Configure Wifi", we are still unable to connect and we don't even see an error when we click on connect.

Troubleshooting Steps


 

Workaround

The workaround involves creating a split to the existing workflow to filter by Android OS and create a secondary workflow (this is for the post transit URL) which will used to deliver the Root CA cert for the Web Browser Trust.

Please find the attached document (Android 11 Workaround for Web Browser Trust certs) which has step by step instructions on how to make modifications/additions to the cloudpath configuration.

Below are the instructions to install the certificate manually (for example we have taken Samsung and Pixel, since customers network predominantly has Samsung phones and issue was reported on Pixel phone):

Samsung:
Open settings
Go to 'Biometric and Security'
Go to 'Other Security Settings'
Go to 'Install from storage'
Select 'CA Certificate' from the list of types available
Accept a large scary warning
Browse to the certificate file on the device and open it
Confirm the certificate install

Google (Pixel):
Open settings
Go to ‘Security'
Go to ‘Encryption and Credentials’
Go to 'Install from storage'
Select 'CA Certificate' from the list of types available
Accept a large scary warning
Browse to the certificate file on the device and open it
Confirm the certificate install

 

Attachment 1

Android 11 workaround document.docx
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Download
(922 KB)

Article Number:
000011377

Updated:
February 16, 2021 02:08 PM (10 months ago)

Answer Attachment 1
Android 11 workaround document.docx
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Download
(922 KB)

Tags:
Configuration, Known Issues and Workarounds, Cloudpath

Votes:
1

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.