Connecting Android 11+ Devices to WPA Enterprise SSID
Android 11 introduced stricter security requirements for WPA-Enterprise connections. This guide explains the changes and how to configure Android 11+ devices to connect to IronWifi-secured enterprise WiFi networks.
What Changed in Android 11
Starting with Android 11, Google enforced stricter certificate validation for enterprise WiFi connections:
- CA certificate is required - You can no longer skip certificate validation. The "Do not validate" option was removed.
- Domain suffix must be specified - The RADIUS server domain must be provided for server certificate verification.
- System certificates supported - You can select "Use system certificates" instead of installing a custom CA.
Configuration Steps
Using System Certificates (Recommended)
- Open Settings > Network & Internet > Wi-Fi
- Tap the enterprise network or Add network
- Configure:
- EAP method: PEAP (or TTLS)
- Phase 2 authentication: MSCHAPV2 (or PAP for TTLS)
- CA certificate: Use system certificates
- Domain: Enter the RADIUS server domain (e.g., )
radius.ironwifi.com - Identity: Your username
- Password: Your password
- Tap Connect
Using a Custom CA Certificate
If your organization uses a private CA:
- Download the CA certificate to your device
- Open Settings > Security > Encryption & credentials
- Tap Install a certificate > CA certificate
- Acknowledge the warning and select the certificate file
- When configuring Wi-Fi, select your installed certificate
- Enter the domain suffix
Finding the Domain Value
The domain value must match the domain in the RADIUS server certificate. For IronWifi:
- Use or your custom RADIUS hostname
radius.ironwifi.com - Check the IronWifi console for your specific RADIUS server domain
- The domain is typically shown on the Networks page
MDM Deployment
For managed devices, push the WiFi profile via MDM to avoid manual configuration:
- Include the CA certificate in the profile
- Pre-configure the domain field
- Set the EAP method and Phase 2 authentication
- Use variable substitution for user identity
Troubleshooting
"Can't connect to this network"
- Ensure the Domain field is correctly filled in
- Try "Use system certificates" for the CA certificate
- Verify credentials are correct
Previously Working Network Stopped Connecting
After upgrading to Android 11+, saved networks without proper certificate configuration may stop working:
- Forget the saved network
- Re-add the network with proper certificate and domain settings
- Connect again
Certificate Not Accepted
- Ensure the CA certificate is installed under User certificates or use System certificates
- Verify the domain matches the RADIUS server certificate's Subject Alternative Name
- Check that the certificate hasn't expired
Related Topics
- Android - EAP-PEAP - PEAP configuration
- Android - EAP-TLS - Certificate-based authentication
- Android - TTLS + PAP - TTLS configuration