I am setting up a WPA2 Enterprise-secured Wifi for my company. I set up a RADIUS server (FreeRadius) which talks to our Azure AD for authenticating our users. Because of the nature of the connection (RADIUS<-> AzureAD), EAP-TTLS is the only protocol that can be used.
Since EAP-TTLS does server validation via server certificate, but the client-side does not have to be validated via client certs, that makes it easy to deploy to employees connecting to our WiFi since I don't have to deploy client certs to all the client devices.
Problem is I don't understand the exact process of connecting the clients.
Example #1: When connecting an iOS device to the WiFi, I get the dummy CA and server certificates shown on my screen that were generated on my RADIUS server. I can choose to either trust them or not. This way server validation is done, which makes the connection secure and makes complete sense to me.
Example #2: When connecting an Android device, I don't get this prompt with the CA and server certificates. What I get is an option to either:
- Select a CA cert -> This means I have to deploy the RADIUS-generated CA cert to EVERY client device. This does not make sense to me because in the end it's like I am deploying client certificates to devices which complicates the setup a lot and negates the main advantage of EAP-TTLS.
- Don't validate -> This means that the device just connect to the network without validating the server at all. This way, I can connect to the WiFi too but that is not acceptable since the client does not verify the server at all which makes the network not secure.
- Use system certificates -> Selecting this prompts the user to enter a domain. I suppose this option uses the already pre-installed CAs Android has by default, but I am not sure what to make of it. What domain is the device asking for? I can't connect this way if I enter my company's domain, the RADIUS server says that the client has an unknown CA cert. Makes sense since the device is not using it's generated CA cert.
All in all, I understand the way iOS does the connection and in my mind that is how EAP-TTLS is supposed to work, with server validation and all. Android makes things very confusing, since it is making me install the CA on the device manually instead of just getting it via the started connection (like iOS does).
Can someone point what I am missing here? Am I wrong in some assumptions or is this just an Android technicality that is supposed to work this way? What would be the easiest setup solution in this case?
Thanks in advance!