Hi It's partially off-topic to FreeRADIUS specifically, however it's related to provisioning and configuration so I give it a shot: I've been sending users through a open setup-only SSID to an informational page where I'd either forward them to enterprise-wifi.net (previously 802.1x-config.org) for platforms supported there. For others like Android I'd provide instructions on how to get connected manually. On that page we'd link a download to the CA certificate the Android supplicant should trust for the encrypted SSID and I'd show the users how to get it loaded. I remember this having worked over a couple of Android vendors. I've come to realize that more recent Android's landing page browsers would request the certificate (according to the Webserver logs) but then wouldn't do anything on the user side. - Users can't even download it. Back then I remember that I had to tweak the MIME type for Apple's .mobileconfig and certificate files (application/x-apple-aspen-config) files on the webserver. Also some Androids required to set application/x-x509-ca-cert for PEM encoded CA certificates to be downloaded correctly but that doesn't seem to work anymore. (wget --verbose shows the type) Is there something Android / Chrome has changed that I need to take care of in order to fix certificate downloads? Maybe people related to eduroam have experience? (Though eduroam can use an Android app, even if it's not perfect yet) Regards Mathieu