Securely connect Android devices to corporate Wi-Fi

Compared to the use of personal or preshared key (i.e. PSK) mode, a secure way to access the wireless network in the enterprise environment or Wi-Fi 802.1X mode of implementation of the specific way appears different. While the use of personal laptops to connect to the corporate network is no longer a technical problem, the rapid popularity of Android devices brings a series of additional setup options that we may not have seen before.

In today's article, we'll look at the role of these settings and see what you need to be aware of when you access your Android device to your corporate Wi-Fi Environment:

Download and install all necessary digital certificate files

First, we need to obtain all the necessary digital certificate files. For example, if you are using the 802.1X EAP-TLS mode, apply for the relevant files from your network administrator. In addition, we also need to download other types of certificates, such as CA certification, to ensure that the device can be successfully authenticated by the server.

In the newer versions of the Android system, the certificate import process automatically occurs after the file download is complete. All you need to do is enter a name for the certificate and select the Wi-Fi access point that the certificate uses. If your device has not yet turned on the lock-screen security mechanism, you may be alerted to enable the system.

Installation screen after digital certificate download is complete in ▲android environment

In other early versions of Android, you might want to initialize the certificate import by accessing the security or Location & security settings and selecting "Install from SD card". If it is not already set, the system will remind you to create a password for the certificate store.

Access to enterprise network environment

As with any other Wi-Fi network environment, click on the network name in the list of peripheral wireless networks to complete the access. When you first connect, the system will remind you to complete the authentication settings.

If you have not already selected the correct EAP method, select a method that the network you have access to can support. If you already have a user name and password that corresponds to the Wi-Fi you have access to, you can generally choose an EAP method. If you must install a digital certificate for it, the TLS method may be the most appropriate.

For most EAP methods, you can choose the CA certificate you specify--as we said earlier, we must first complete the installation steps. For TLS, you must specify a user certificate for it.

The following are the correct setting options when using EAP or TLS methods:

▎ Certification Phase two: Select (optional) The external authentication methods supported by the network, such as Ms-chapv2 or GTC. Ms-chapv2 is most common, but if you cannot determine if it is supported, you can choose None.

▎ Identity: A technical description of the "username" concept, which may contain a domain name-for example, jsmith@company.com--depending on the actual circumstances of the network.

▎ Anonymous identity: In most cases, you can leave this field blank. However, if possible, I personally suggest that you choose a random user name for it, such as "anonymous".

By default, the username is sent to the authentication server two times. The first time the content is sent is not encrypted, it calls the external or anonymous identity; The second sent content is implemented through an encrypted channel, which is responsible for calling internal identities. In most cases, validation can be completed successfully without the real user name in the external identity. It is for this reason that we should try to avoid the use of real user name content, so as to effectively prevent any prying people to their own.

However, there are also some networks that require a full username, or at least provide the correct domain or zone in an external identity, such as "anonymous@domain.com".

▎ Enter Password: Obviously, we need to enter the password content corresponding to the login account here.

Keep in mind that you can modify these authentication settings whenever you need to. The implementation is also very simple, only need to be long by the corresponding network name and choose "Modify Network configuration."