Thanks so much for the response. Perhaps the docs could be updated? Tech support told me it wasn't supported yet.
Regarding the problem, we are using a Pixel XL and Pixel 2. It's definitely not trying to join an open ssid. However, I just discovered a clue to the problem by looking at the logs on our Palo Alto firewall which is linked to Cloudpath.
Even though my Android 9 device has been onboarded and is using a certificate for 802.1x authentication to the encrypted SSID, some of the initial traffic through the firewall is blocked during roaming and initial connection. The traffic is to IPs associated with "www.google.com"
. Per the logs, the traffic is blocked because the firewall does not yet have a user name associated with the device for policy matching on the firewall.
If I whitelist "www.google.com"
the phone properly connects to the secure SSID and is authenticated to the firewall with the username embedded in the cert.
If I don't whitelist "www.google.com"
then I need to click through the captive portal browser to get authenticated after roaming.
These problems only surfaced with Android 9. Prior versions did not require this.
I guess I could work around this by allowing a permanent exception to "www.google.com"
for my wireless network, but I'd prefer not to do that. Suggestions appreciated. Thanks!