CP 5.2.3959 (current rev) does not support Android 9 released in August. Is there a plan to support this version of Android? I was unable to find any info about a release date for an update.
I've tried to onboard 2 separate Android 9 phones -- both accept the 802.1x certificate but do not roam properly to neighboring APs. They require sign-in via the Android captive network assistant, or require turning off cellular data temporarily to activate an automatic sign in. This behavior is not present in Android 8 or earlier.
CP 5.2 is tested and supported on Android 9. We have tested specifically with Pixel and other variants. The above scenario looks like a roaming issue on these specific Andorid phones where the device prefers to join a open ssid during a roam event when joined to the secure ssid on the same AP. Perhaps for testing the theory out, can you manually delete or disable re-join for the open ssid and check if it roams?
Thanks so much for the response. Perhaps the docs could be updated? Tech support told me it wasn't supported yet.
Regarding the problem, we are using a Pixel XL and Pixel 2. It's definitely not trying to join an open ssid. However, I just discovered a clue to the problem by looking at the logs on our Palo Alto firewall which is linked to Cloudpath.
Even though my Android 9 device has been onboarded and is using a certificate for 802.1x authentication to the encrypted SSID, some of the initial traffic through the firewall is blocked during roaming and initial connection. The traffic is to IPs associated with "www.google.com". Per the logs, the traffic is blocked because the firewall does not yet have a user name associated with the device for policy matching on the firewall.
If I whitelist "www.google.com" the phone properly connects to the secure SSID and is authenticated to the firewall with the username embedded in the cert.
If I don't whitelist "www.google.com" then I need to click through the captive portal browser to get authenticated after roaming.
These problems only surfaced with Android 9. Prior versions did not require this.
I guess I could work around this by allowing a permanent exception to "www.google.com" for my wireless network, but I'd prefer not to do that. Suggestions appreciated. Thanks!