Description

My wireless network uses WPA2-Enterprise security, with EAP-TLS authentication. I have configured my Puxel 9 Pro XL to connect to the network. Shortly after, my Pixel Watch arrived, which does not support WPA2-Enterprise. To allow it to connect, I have configured my network to allow WPA2-PSK authentication for that SSID for the watch alone, and issued it an individual passphrase. Both devices connected fine - the phone was using WPA2-Enterprise with EAP-TLS, and the watch was using WPA2-Personal with the passphrase. At one point I left home, and disabled Wi-Fi on my phone. After coming home, I re-enabled Wi-Fi on my phone, and the phone was prompting me for a password to connect to the network, despite it having configured WPA2-Enteprise credentials, and having previously used them. I checked my AP logs, and those credentials were not being rejected, in fact, no connection attempt was being made at all.

The network uses a hidden SSID. The EAP-TLS scheme uses a 2-tier self-signed CA. There is a Root CA, which issued a Wi-Fi CA certificate, which further issued a certificate for the RADIUS server and for the clients. So the scheme looks like this (not actual domain names):

• Root CA
  • Wi-Fi CA
    • RADIUS Server (wifi.example.com)
    • Clients (client1@wifi.example.com ...)

The phone's Wi-Fi security is configured as such:

• Security: WPA2-Enterprise
• EAP Method: TLS
• CA certificate: Root CA
• Minimum TLS version: 1.2
• Online certificate status: Do not verify
• Domain: RADIUS Server domain name (here: wifi.example.com)
• User certificate: Client certificate (here: client1@wifi.example.com)
• Identify: Same as Client Certificate Common Name (here: client1@wifi.example.com)

This particular issue occurs with a phone and a watch, but it should happen regardless of other device types.

Affected devices

• Google Pixel 9 Pro XL (Android version: 14)
• Google Pixel Watch 3 45mm (WearOS version: 5.0)

Steps to reproduce

0. Prepare 2 devices: an Android device, and another Wi-Fi-enabled device.
1. Generate keys and certificates necessary for EAP-TLS authentication. Ideally, a scheme similar to the above should be used.
2. Install the client certificate and private key, Wi-Fi CA, and Root CA on the phone.
3. Set up a RADIUS server which performs EAP-TLS authentication. Use the RADIUS Server certificate as server certificate, with server name being the same as the certificate's Common Name (here: wifi.example.com). Use Wi-Fi CA or Root CA for validating client certificates.
4. Set up a Wi-Fi access point with WPA2-Enterprise security, hidden SSID, and EAP-TLS authentication. Use the RADIUS server set up in prior step as the authentication server for clients.
5. Configure the first device to connect to the network, as outlined in the bug description.
6. Enable WPA2-PSK authentication on the network, and set up an individual passphrase for the second device.
7. Connect the second device to the network using WPA2-PSK security and the individual passphrase.
8. Disconnect both devices from the network by disabling Wi-Fi for a minute or two.
9. Enable Wi-Fi on both devices and attempt to reconnect to the network.

Expected result

Both devices connect to the network.

Actual result

The first device does not connect, and instead prompts for a password.

Workaround

Currently, I have worked around this issue by configuring the primary SSID to use WPA2-Enterprise security only, and created a separate SSID with WPA2-PSK security for the watch. This is a rather inconvenient setup, however.