Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 6, 2020 7:41 PM
Hello all,
At one of our customers I got the request to configure WPA2 Enterprise with authentication based on certificates for the Azure AD joined / Intune enrolled devices. Devices are not hybrid joined.
First we setup NPS/Radius for user authentication with user certificates. This works fine and after login the wifi is connected.
But with this we don't have a wifi connection (so no internet connection) at logon. We would like to have a internet connection at logon, so we can login to the devices for the first time.
So we deployed a device certificate with Intune based on PKCS. The certificate is placed in the personal computer certificate store and we change the Wifi profile so it is set to user and device authentication.
Unfortunately the connection cannot be made. We got a message at login that a certificate is not present, while we have a devices certificate in place.
When we change to just device authentication in the Wifi Profile, it just cannot connect at all. Also not after the user is logged in.
The only guess I could think of, is that NPS doesn't know the device and does not permit it to connect.
Anyone an idea which can help me out?
All replies (6)
Tuesday, July 7, 2020 1:33 PM ✅Answered
Just an update. It seems that I solved it.
I found out that I had 2 issues:
- Certificate was not yet valid because the time on the device was not correct. It was set to one hour earlier. After correcting the time (time service was not available on the domain network so had to open UDP 123) the certificate was valid.
- The Wifi configuration on the client was set to PEAP instead of smartcard or certificate.
After correcting both issues, the device is connecting to the Wifi with the device certificate based on computer authentication.
Tuesday, July 7, 2020 2:35 AM
Hi,
After deploying certificate with Intune based on PKCS, PKCS certificate should be exported, and then add the certificate to an Intune device configuration profile.
Please refer this official document of Using certificates for authentication in Microsoft Intune:
/en-us/mem/intune/protect/certificates-configure
Hope this can help you.
Best regards,
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, July 7, 2020 1:29 PM
Hello Cherry,
Thank you for your help.
Can you explain a little more what you mean?
I already did an import of the trusted root certificate.
PKCS import is as far as I know only for to enable S/MIME email encryption in your email profiles.
When I choose the PKCS Certificate Windows 10 profile, (for Set up a public key pair (PKCS) certificate to enable certificate-based authentication in your org.) It will deploy the certificate automatically. This is the profile I used and set it to a device certificate.
When I check the installed certificates on my device, I can see that I have a personal device certificates and the trusted root certificate available.
Wednesday, July 8, 2020 1:15 AM
Hi,
I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 23, 2020 7:53 PM
RonaldBe - I am trying to set up the same scenario in my environment, allowing AzureAD Joined computers to connect to wifi using device certificate for authentication. It sounds like I'm on the right track based on what you've said here, but I have one question still which I hope you might have also run across in your project.
Our current RADIUS rules also use machine certificate authentication for wireless clients, but restrict access to computers which are members of a specific AD group. With an AzureAD Joined computer (not hybrid), how can you control whether it is allowed to use that network connection? Just because a computer has a machine certificate from our internal CA doesn't necessarily mean that it is intended to connect to wireless.
Do you have any sort of restrictions on which devices are allowed to use the network connection, and if so, how did you implement those?
Monday, July 27, 2020 12:22 PM
Hello NeighborGeek,
Yes you are correct, you cannot add Azure AD joined device to a domain security group and will not work as an conditions to check for on the NPS server.
First of all with the correct requirements you can deploy a certificate from your internal CA to the devices with Intune. If you make sure that the certificate can only be deployed to your managed devices, is required to use TPM and not exportable, then I think you are save to say that a device which has the certificate is a trusted device and is allowed to connect. So on the NPS server in the connection policy, you do not use the group as a condition. You just set the NAS port type to Wireless and configure the authentication method.
If you use your internal CA for to many other certificates with device authentication and you have less or no control over where it goes or where it can be used and maybe those certificates are exportable which makes it a security issue, maybe it is better to use user certificates because with that you can use a domain security group for the condition with the user as member. But that would also mean that you should check if the user certificates cannot be used in a wrong way. Even if it is for trusted users, for example if they can use the certificate on a private device which you don't want.
On a network level you can probably still fall back to MAC address as a condition but this means you will have a big administration to keep that updated for all of your devices.
Unfortunately I cannot find another option which is completely without security risks. For example the condition "client friendly name" would be an option to use, so only devices start with your company prefix. But that means that if an unauthorized user knows about the prefix, it will just rename the device name to get access. I don't think he will be able to see this in logging because this kind of information is only logged on the NPS server I believe. So if that is more acceptable comparing to just the certificate, you can have it a try.
The only real solution I have for you is to make sure you don't use legacy resources anymore for your Azure AD joined devices so all resources are cloud accessible. This way you do not need to connect to a secure corporate Wifi to make sure unauthorize users can access your servers. All they do need is to access internet and your security issues got a lot less. A cryptolocker for example will not be able to encrypt any files anymore if no file servers exist on your internet connection. In this case you can still use the Wifi based on device certificates because it is still better than with a WPA2 Pre-shared key and you can automate it with Intune.
Sorry that I cannot give you the answer you are probably hoping for but I hope this will still help.