Configure WiFI profile with SCEP cert authentication

 

I will choose the user cert for this authentication, and the main reason is AAA with the proxy server.

I assume you know how to configure NPS server and just need to add an extra Policy for this scenario. For more info about how to configure NPS, see here:http://frankfu.click/microsoft/70-411-administering-win-2012r2/70411-chapter6-network-policy.html

Go to Azure portal, Intune, Device Configuration. Click Profiles, click + Create profile.  Select Windows 10 and later, Wi-fi, then click Create.

 

Basic: Give it a Name, description.

Configuration settings: Enterprise. And all the settings will pop up.

  • Wi-Fi type: Enterprise
  • Wi-Fi name (SSID) : Your wireless SSID in your environment.
  • Connection Name: Wireless_name
  • Connect automatically when in range: Yes
  • Connect to this network, even when it is not broadcasting its SSID: No
  • Metered Connection Limit: Unrestricted
  • Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS): No
  • Company proxy settings: None (according to your company setting)
  • Single sign-on (SSO): Disable
  • Enable pre-authentication: No
  • EAP type: EAP – TLS
  • Certificate server names:  NPS_Server_FQDN
  • Root certificates for server validation: NHS Trusted Root Certificate
  • Authentication method :SCEP certificate
  • Client certificate for client authentication (Identity certificate): Win10UserCert
Create a Network Policy in NPS

Now it’s time to  create a network Policy in windows Server for this Wireless profile, the features are:

  • Access permission: Grant access.
  • Type of network access server: Unspecified

Under Conditions:

  • NAS Port Type: under Common 802.1X connection tunnel types, select Wireless – IEEE 802.11; under Others, select Wireless – Other.
  • User Groups: create a group for the wireless access, all users needed to be under this group for wireless access.

Constraints:

This is the most important part, we need to setup the Authentication Methods, which will match the authentication method we created in Wireless profile in last step.

Note that there are two parts include Smart Card or Other certificate, and only one will work here.

  • EAP types: Microsoft: Smart Card or other Certificate  Don’t choose this one!!!
  • EAP type: Microsoft: Protected EAP (PEAP), click Edit, then delete Secured password (EAP–MSCHAP V2). Under Eap Types, Click Add, choose Smart card or other certificate,

Keep the default for other settings, click OK multiple times to exit.

Reference:

https://docs.microsoft.com/en-us/archive/blogs/askds/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
Renew NDES RA cert:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200543-Renew-SCEP-RA-certificate-on-Windows-Ser.html
Pages: 1 2 3 4