Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

WPA3 Enterprise with Firewalla gold pro (latest beta and latest box) and Firewalla AP7 and Android phones

Follow
Avatar
Bob Coffey
WPA3 Enterprise with Firewalla gold pro (latest beta and latest box) and Firewalla AP7 and newer Android phones as of 3/28/2026: 1. Is it possible to get a UI update for upload/download of the radius certificate so this can be provided to Android devices for trust purposes? 2. Is there any recommendations from Firewalla or the community to get this working without disabling certificate validation on the android wifi ssid settings which allows mitm attacks which seems to defeat the benefits of using wpa3? I have the user (groups) setup and working. This is seemingly very easy to setup except for the trust issues. What is the suggested configuration for the radius server certificate and the Android devices attaching to the WiFi to use it?
0

Comments

5 comments

Sort by Date Votes
  • Avatar
    Firewalla CM
    • Edited

    Hi there,

    What Android device are you using? For devices that require you to select the authentication method, we recommend using:

    • EAP Method: PEAP
    • Phase 2 Authentication: MSCHAPV2
    • CA Certificate: Trust on First Use

    Which shouldn't require you to download the certificate on your device itself. For a full guide, see here: https://help.firewalla.com/hc/en-us/articles/46524481560467-WPA-Enterprise-Wi-Fi-with-RADIUS#h_01KAW66GB3M23SKEV5NXTXWR3Y

    Let me know if that helps (or if I misunderstood your questions).

    0
    Comment actions Permalink
  • Avatar
    Bob Coffey

    Very strange, tofu worked this time and prompted me to trust the Firewalla radius cert as expected. Oddly, I had previously tried domain and tofu and these hadn't worked. Thanks for the link. I had seen that in my searches. Can i use Synology as my radius server after turning on 3rd party radius on the latest Firewalla beta release and use a trusted cert to avoid using the default untrusted tofu cert?

    0
    Comment actions Permalink
  • Avatar
    Firewalla CM

    We only allow Firewalla to act as the local RADIUS Server; it cannot work with other 3rd-party servers.

    The "Allow 3rd-party APs" feature allows you to use Firewalla as your local RADIUS Server with non-Firewalla APs.

    0
    Comment actions Permalink
  • Avatar
    Bob Coffey

    Tofu will work for now with your recommended configuration then. Are there any further plans to better access the radius server certificate from the Firewalla UI to possibly allow upload and download of trusted certs? The reason for asking is tofu does not block out mitm attacks, but it's certainly much better than bypassing certificate validation all together.

    0
    Comment actions Permalink
  • Avatar
    Firewalla CM

    We'll forward your request to our developers and see if they can look into uploading/downloading certs in the future.

    Please let us know if you encounter any other issues with connecting to Firewalla RADIUS.

    Thank you!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post