Connect to Enterprise WPA2 wifi on Android 10+

Question

I'm trying to create a enterprise WPA2 connection on Flutter with Kotlin native code. I'm using the WifiSuggestion API as I want that the wifi keeps the connection even after the app closes. Here's the implementation:

            val enterpriseConfig = WifiEnterpriseConfig()

            enterpriseConfig.identity = uid
            enterpriseConfig.password = uPassword
            enterpriseConfig.eapMethod = WifiEnterpriseConfig.Eap.PEAP
            enterpriseConfig.phase2Method = WifiEnterpriseConfig.Phase2.MSCHAPV2

            val eduroamSuggestion = WifiNetworkSuggestion.Builder()
                    .setSsid(wifiSSID)
                    .setWpa2EnterpriseConfig(enterpriseConfig)
                    .build()

And I'm having the java.lang.IllegalArgumentException: Enterprise configuration is insecure error as on the stacktrace below

E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612): Failed to handle method call
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612): java.lang.IllegalArgumentException: Enterprise configuration is insecure
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at android.net.wifi.WifiNetworkSuggestion$Builder.setWpa2EnterpriseConfig(WifiNetworkSuggestion.java:271)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at br.uff.uffmobileplus.WifiHandler$Companion.assembleConnection(WifiHandler.kt:171)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at br.uff.uffmobileplus.MainActivity.configureFlutterEngine$lambda-0(MainActivity.kt:59)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at br.uff.uffmobileplus.MainActivity.lambda$1vo85UVy1PXOPIbKlJk84gSeKS4(Unknown Source:0)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at br.uff.uffmobileplus.-$$Lambda$MainActivity$1vo85UVy1PXOPIbKlJk84gSeKS4.onMethodCall(Unknown Source:2)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at io.flutter.plugin.common.MethodChannel$IncomingMethodCallHandler.onMessage(MethodChannel.java:262)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at io.flutter.embedding.engine.dart.DartMessenger.invokeHandler(DartMessenger.java:296)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at io.flutter.embedding.engine.dart.DartMessenger.lambda$dispatchMessageToQueue$0$DartMessenger(DartMessenger.java:320)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at io.flutter.embedding.engine.dart.-$$Lambda$DartMessenger$AIEPqY6mWzaNK15HekX9bftoAXs.run(Unknown Source:12)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at android.os.Handler.handleCallback(Handler.java:938)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at android.os.Handler.dispatchMessage(Handler.java:99)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at android.os.Looper.loop(Looper.java:236)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at android.app.ActivityThread.main(ActivityThread.java:8037)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at java.lang.reflect.Method.invoke(Native Method)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
E/MethodChannel#br.uff.uffmobileplus/uffmobile_channel(11612):  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)

Answer 1

The Android source code holds the answer. Your error message appears when WifiEnterpriseConfig.isInsecure() evaluates to true.

For your case, you

• must add either enterpriseConfig.DomainSuffixMatch or enterpriseConfig.AltSubjectMatch, and
• depending on the environment, I believe you may have to add the RADIUS server's CA certificate via enterpriseConfig.CaCertificate.

For username/password authentication, it is important to validate the RADIUS server's certificate. Otherwise, the client will send the credentials to an attacker who set up a WiFi with SSID "eduroam".