💡 ArborXR supports the remote provisioning of WiFi configurations where users can create and configure a library of WiFi networks, then remotely provision configurations to devices to remotely connect them to new networks. Below are details on the supported security types, certificates, and proxies.
For more information about remotely provisioning WiFi configurations to devices, see this article. |
Security
Open
Open (Unsecured)
This type has no further settings.
OWE (Opportunistic Wireless Encryption)
Only supported by devices that run Android 10 (or later) and are certified as "WiFi Certified Enhanced Open".
This type has no further settings.
Personal
WPA/WPA2
Technical name is PSK (Pre-Shared Key).
This is either WPA-Personal (WPA-PSK) or WPA2-Personal (WPA2-PSK).
Password: String 8 to 63 characters.
WPA3
Only supported by devices that run Android 10 (or later) and specifically advertise support for this.
Technical name is SAE.
Also called WPA3-Personal (WPA3-PSK).
Password: String of 1 to 63 characters.
Enterprise
WPA/WPA2
Technical name is EAP.
This is either WPA-Enterprise or WPA2-Enterprise.
EAP Method, one of:
PEAP (Protected Extensible Authentication Protocol, also called "Protected EAP")
Phase2 Method, one of:
MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)
Identity: String
Password: String
GTC (Generic Token Card)
Identity: String
Password: String
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Anonymous Identity: String
TLS (Transport Layer Security)
(Optional) User Certificate: X.509 certificate (see below section for details)
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Identity: String
TTLS (Tunneled Transport Layer Security)
Phase2 Method, one of:
PAP (Password Authentication Protocol)
MSCHAP (Microsoft's Challenge Handshake Authentication Protocol version 1)
MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)
GTC (Generic Token Card)
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Identity: String
Anonymous Identity: String
Password: String
PWD (Password)
Identity: String
Password: String
WPA3-Enterprise
Only supported by devices that run Android 10 (or later) and specifically advertise support for this.
Technical name is EAP Suite-B.
Settings: Except for more supported authentication methods, this is the same as EAP-TLS. However, the user certificate is required.
Certificate Enrollment
SCEP
SCEP (Simple Certificate Enrollment Protocol) allows devices to self enroll for a certificate that can be used to connect to a secured network. The headset must be able to reach the SCEP server in order to exchange signatures and information to generate a certificate.
SCEP Configuration:
SCEP URL: URL to the SCEP server that will be used for the certificate enrollment.
SCEP Challenge Password: A password that was pre-shared between the SCEP server and the client. This password will be used during the enrollment to authenticate the client device. Currently, only static passwords are supported.
CA Certificate Type: This is an optional field for added security. CA Certificate is mainly used for the client to ensure that it is communicating and exchanging information with the intended SCEP server.
Select
CUSTOM
to upload the CA certificate of the SCEP server, if it is available.Select
SYSTEM
if the the CA certificate of the SCEP server is already available at the system level on the headset.Select
DO NOT VALIDATE
to skip CA certificate validation.
SCEP Limitations:
Only static challenge passwords are supported for enrollment.
The SCEP enrollment process should be automatic. Manual approval per enrollment is not supported.
SCEP Server Mandatory Functionality:
At a minimum, the SCEP server should support the following:
GetCaCaps
GetCaCert
PKCSReq
Communication of binary data via HTTP Post
AES 128-CBC
SHA-256
Certificate Import
Imported PKCS
Some enterprise WPA3 (i.e. EAP) methods require the use of (CA or user) certificates.
Certificates must meet the standard of X.509 certificates.
CA certificates (trusted root CA certificates) are mainly used for server certificate validation on the device. It is generally optional and it is an extra layer of security to ensure that the device did not connect to an impersonated network with an identical SSID.
CA certificates should be in a .cer, .crt or .pem format.
Instead of specifying a CA certificate, the device's system certificates can be used.
User certificates are used by the server to identify and to authenticate the device. The user certificate should meet the standard of PKCS 12 in the format of .p12 or .pfx. The certificate should contain both a certificate and a private key.
To convert a private key and a certificate together to create a PKCS 12:
openssl pkcs12 -export -in Cert.PEM -inkey PrivateKey.key -out UserCert.p12
For the above conversion, we recommend the use of 3.x OpenSSL.OCSP (Online Certificate Status Protocol) Stapling
Only supported by devices that run Android 11 (or later). This setting is ignored on devices running earlier version of Android.
Formally known as the "TLS Certificate Status Request" extension.
Enum, one of:
None (Don't staple)
Request Status (Try to staple, but don't require a response)
Require Status (Require a valid response)
Require All non-trusted status (Require a valid response for all non-trusted certificates in the server certificate chain)
Domain or Domain Suffix Match is used to validate server certificates. If set, the fully qualified domain name will be used as a suffix check and requirement for the server certificate in SubjectAltName DNS Name elements.
💡 On Android 11+ devices, in environments where you have a RADIUS server that you're authenticating against, the "Domain" field needs to be populated with the SubjectAltName of the NPS server.
Identity is used to validate the user’s identity along with the user certificate. Usually this field is required to go along with a user certificate.
Proxy
Only supported by devices that run Android 8.0 (or later).
Static
Host name: String
Port number: Integer from 0 to 65535
(Optional) List of hosts to bypass: String list
Can include wildcards, e.g. *.example.com, *.google.com
PAC (Proxy Auto-Config)
URL that points to a "PAC file": The file contains a JavaScript function FindProxyForURL(url, host) to dynamically decide whether to connect via a particular proxy server, or directly