Use 802.1X to Secure Apple & Android Mobile Devices

Use 802.1X to Secure Apple & Android Mobile Devices

Users of Android devices get often confused to arrange the settings when they are connecting to enterprise-secured networks. When the users are connecting through different iOS devices such as iPod and iPad, as well as iPhone, they are usually asked only for their username and password. In general, the users cannot edit the 802.1X settings on their device but they can get around them.

How to Install Certificates in Android

In case that you are using an authentication method based on certificate, for example TLS, first you need to install the user digital certificate. If you are not using an authentication that is based on a certificate, you might want to load such certificate on Android. With most of the authentication methods, the user can install the certificate from the Certificate Authority which the authentication server uses in order to enable the server verification. Similar to the Windows server verification, this can help prevent the so called man-in-the-middle attacks.

The digital certificates are files that are small and come with the extensions .p12, .pfx, or .crt. If you have one of the new versions of Android, then the installation of certificates is easy. You should just download the certificate and it will open the screen in order to import it. The certificate should then be given a name and the user should apply Wi Fi for the credential use. In case the lock screen security is not enabled on the phone, you might be asked to enable it.

The people who are using older versions of Android might need to make the import process manually. They have to download or transfer the certificate into the device, after which they have to go to the Security settings and pick Install from SD card option. The people will be asked to create a password for the credential storage.

The users should be aware that they can always remove the certificates that they have installed. They simply need to go to the security settings and select the option Clear credentials. This will allow them to remove the lock screen password. This step will remove all the certificates that are added. Thus, in case you wish to remove the user certificates, you have to select the option Trusted credentials from your security settings and then pick the User tab to view and then delete certain certificates.

How to Configure 802.1X Settings in Android

When you connect to a secure Wi Fi network in Android for the very first time, you will be shown the authentication settings. These can appear immediately to some users and they will see two fields – username and password. These settings can be edited later once you tap on the name of the network.

Then, if the correct EAP method is picked, you have to select the method that is supported by the authentication server. This method could be TLS, TTLS, PEAP, FAST, or LEAP. For the EAP methods, you can specify the CA certificate that you have to install first as discussed above. Again, for the TLS you can also specify the user certificate, where the certificate has to be installed.

For the PEAP and the TTLs methods you have to:

  • Get Phase 2 authentication, which specifies the outer authentication method. You should use the method that is supported by the authentication server. The most popular here is MS-CHAPv2.
  • Make identity, enter your username and make sure it includes a domain name.
  • Use anonymous identity – the user name is sent two times to the authentication server – one encrypted (anonymous) and then in an encrypted tunnel (inner). You are not obliged to use your real username or outer identity. Better user a random username.
  • Enter your password.

These settings can be altered when you need to by pressing long tap on the network name and selecting the option ‘Modify Network Config’.

How to Install Certificates on iOS Device

First you need to install a user digital certificate, if you are using the TLS authentication method based on certificate. With these devices you do not have to install manually the Certificate Authority certificate when you are using PEAP type to use the server verification. The verification helps the prevention of the attacks by man-in-the-middle and comes automated with all iOS devices, as it will ask you to accept new certificates that are used by the authentication server.

Generally, the default type of verification is often ignored by users as they will usually accept new certificates. For that reason it is wise to make trusted certificate names by creating configuration profiles.

In case the server needs a user certificate, it could be transferred to the iOS device. This certificate will be a small file with an extension .p12, .pfx, or .crt. It has to be installed. If you want to learn more about the legitimacy of the certificate, tap on “More Details”.

How to Make Connection with iOS Devices

When you are making a connection to a secured Wi Fi network through an iOS device for a first time, you will be asked to enter the authentication settings. When the network requires password PEAP for example, you have to enter a username and password.

Then you might be asked to accept Certificate Authority certificate. May be it will show you Not Verified sign for the first time you are making a connection. You will see the expiration date of the certificate and a tap for More Information.

How to Configure the Advanced 802.1X Settings of iOS Devices

On the iOS devices you cannot configure the advanced 802.1X settings – the trusted certificate names, the exact EAP types allowed, and you cannot enable the enabling Protected Access Credential. You can also not define the Outer Identity. The same is applied for the Apple computers running Mac OS X 10.7 Lion.

Even so, you can use the Apple Configurator and the iPhone Configuration Utility to create a certain network configuration profile, which you can distribute and then install on the iOS devices and on the computers running on Mac. These will include the Certificate Authority certificates and the user.

Both configurators allow you to configure advanced 802.1X settings. This is done in addition to the device security policies and the network settings – Wi-Fi, VPN, Exchange account, and email settings. With the configuration profile, you can then distribute it to users by email or you can upload then to a website. You could also make a separate SSID on the network through a captive portal which focuses the users towards the configuration file and they can download it. Further, you can also connect your devices to the computer and install them directly using the iPCU.