Android wifi eap tls

Add Wi-Fi settings for Android (AOSP) devices in Microsoft Intune

You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android Open Source Project (AOSP) devices. Microsoft Intune offers many features, including authenticating to your network, using a pre-shared key, and more.

This article describes these settings. Use Wi-Fi on your devices includes more information about the Wi-Fi feature in Microsoft Intune.

For more information on AOSP, go to Android Open Source Project (opens Android’s website).

Before you begin

Basic

  • Wi-Fi type: Select Basic.
  • Network name: Enter a name for this Wi-Fi connection. End users see this name when they browse their device for available Wi-Fi connections. For example, enter Contoso WiFi.
  • SSID: Enter the service set identifier, which is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
  • Connect automatically: Enable automatically connects to your Wi-Fi network when devices are in range. Select Disable to prevent or block this automatic connection. When devices are connected to another preferred Wi-Fi connection, then they won’t automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections.
  • Hidden network: Select Enable to hide this network from the list of available networks on the device. The SSID isn’t broadcasted. Select Disable to show this network in the list of available networks on the device.
  • Wi-Fi type: Select the security protocol to authenticate to the Wi-Fi network. Your options:
    • Open (no authentication): Only use this option if the network is unsecured.
    • WEP-Pre-shared key: Enter the password in Pre-shared key (PSK). When your organization’s network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.
    • WPA-Pre-shared key: Enter the password in Pre-shared key (PSK). When your organization’s network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value.

    Enterprise

    • Wi-Fi type: Select Enterprise.
    • SSID: Enter the service set identifier, which is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
    • Connect automatically: Enable automatically connects to your Wi-Fi network when devices are in range. Select Disable to prevent or block this automatic connection. When devices are connected to another preferred Wi-Fi connection, then they won’t automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections.
    • Hidden network: Select Enable to hide this network from the list of available networks on the device. The SSID isn’t broadcasted. Select Disable to show this network in the list of available networks on the device.
    • EAP type: Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Your options:
      • EAP-TLS: To authenticate, the Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) uses a digital certificate on the server, and a digital certificate on the client. Both certificates are signed by a certificate authority (CA) that the server and client trust. Also enter:
        • Radius server name: Enter the DNS name that’s used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter Contoso.com , uk.contoso.com , or jp.contoso.com . If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter contoso.com . When you enter this value, user devices can bypass the dynamic trust dialog that’s sometimes shown when connecting to the Wi-Fi network. On Android 11 and newer, new Wi-Fi profiles may require this setting be configured. Otherwise, the devices may not connect to your Wi-Fi network.
        • Root certificate for server validation: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don’t need to include a root certificate.
        • Identity privacy (outer identity): Enter the text sent in the response to an EAP identity request. This text can be any value, such as anonymous . During authentication, this anonymous identity is initially sent, and then followed by the real identification sent in a secure tunnel.​
        • Radius server name: Enter the DNS name that’s used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter Contoso.com , uk.contoso.com , or jp.contoso.com . If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter contoso.com . When you enter this value, user devices can bypass the dynamic trust dialog that’s sometimes shown when connecting to the Wi-Fi network. On Android 11 and newer, new Wi-Fi profiles may require this setting be configured. Otherwise, the devices may not connect to your Wi-Fi network.
        • Root certificate for server validation: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don’t need to include a root certificate.
        • Certificates: Select the SCEP or PKCS client certificate profile that’s also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection.
        • Identity privacy (outer identity): Enter the text sent in the response to an EAP identity request. This text can be any value, such as anonymous . During authentication, this anonymous identity is initially sent, and then followed by the real identification sent in a secure tunnel.
        • Radius server name: Enter the DNS name that’s used in the certificate presented by the Radius Server during client authentication to the Wi-Fi access point. For example, enter Contoso.com , uk.contoso.com , or jp.contoso.com . If you have multiple Radius servers with the same DNS suffix in their fully qualified domain name, then you can enter only the suffix. For example, you can enter contoso.com . When you enter this value, user devices can bypass the dynamic trust dialog that’s sometimes shown when connecting to the Wi-Fi network. On Android 11 and newer, new Wi-Fi profiles may require this setting be configured. Otherwise, the devices may not connect to your Wi-Fi network.
        • Root certificate for server validation: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don’t need to include a root certificate.
        • Certificates: Select the SCEP or PKCS client certificate profile that’s also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection.
        • Identity privacy (outer identity): Enter the text sent in the response to an EAP identity request. This text can be any value, such as anonymous . During authentication, this anonymous identity is initially sent, and then followed by the real identification sent in a secure tunnel.

        Next steps

        The profile is created, but might not be doing anything. Be sure to assign this profile and monitor its status..

        Источник

        Добавление параметров Wi-Fi для устройств под управлением администратора устройств Android в Microsoft Intune

        Вы можете создать профиль с определенными параметрами Wi-Fi, а затем развернуть его на устройствах Android. Microsoft Intune предлагает множество функций, включая проверку подлинности в сети, добавление сертификата PKCS или SCEP и многое другое.

        Эта функция применима к следующим системам:

        Эти Wi-Fi параметры разделены на две категории: базовые параметры и параметры уровня предприятия. В этой статье описаны эти параметры.

        Подготовка к работе

        Обычный

        • Тип Wi-Fi: выберите Базовый.
        • SSID. Введите идентификатор набора служб, который представляет собой реальное имя беспроводной сети, к которой подключаются устройства. Однако пользователи видят сетевое имя , настроено только при выборе подключения.
        • Скрытая сеть. Выберите Включить , чтобы скрыть эту сеть из списка доступных сетей на устройстве. SSID не транслируется. Выберите Отключить, чтобы отобразить эту сеть в списке доступных сетей на устройстве.

        Предприятие

        • Тип Wi-Fi: выберите Корпоративный.
        • SSID. Введите идентификатор набора служб, который представляет собой реальное имя беспроводной сети, к которой подключаются устройства. Однако пользователи видят сетевое имя , настроено только при выборе подключения.
        • Скрытая сеть. Выберите Включить , чтобы скрыть эту сеть из списка доступных сетей на устройстве. SSID не транслируется. Выберите Отключить, чтобы отобразить эту сеть в списке доступных сетей на устройстве.
        • Тип EAP. Выберите тип протокола расширенной проверки подлинности (EAP), используемый для проверки подлинности защищенных беспроводных подключений. Доступны следующие параметры:
          • EAP-TLS: также введите:
            • Доверие — сервера Корневой сертификат для проверки сервера. Выберите один или несколько существующих профилей доверенных корневых сертификатов. Когда клиент подключается к сети, эти сертификаты используются для установления цепочки доверия с сервером. Если сервер проверки подлинности использует общедоступный сертификат, включать корневой сертификат не нужно.
            • Проверка подлинности — клиента Сертификат клиента для проверки подлинности клиента (сертификат удостоверения). Выберите профиль сертификата клиента SCEP или PKCS, который также развертывается на устройстве. Этот сертификат представляет собой удостоверение, которое устройство представляет серверу для проверки подлинности подключения.
            • Конфиденциальность удостоверений (внешнее удостоверение). Введите текст, отправленный в ответ на запрос на идентификацию EAP. Это может быть любое значение, например anonymous . Во время проверки подлинности сначала отправляется это анонимное удостоверение, а затем в защищенном туннеле отправляется реальная идентификация.
Оцените статью
Adblock
detector