You have been tasked with enabling Automatic Wifi authentication, you can do this with a preshared key or using Wi-Fi authentication with certificates. So which one should you choose? The answer is simple, preshared keys are easy to set up but are not secure, so if you are only looking for a quick solution and don’t have security or compliance requirements, then you can use a preshared key. However, if you are looking for a secure solution that will allow you to meet compliance requirements and keep your data safe, then you should use certificates. In this blog we will give you a quick overview of the technology needed and links to guides on how to set it up. The best part? You can have a POC running in less than an hour (Yes, really from zero-to-hero that quickly if you don’t believe me watch the video below)!
To set up Wi-Fi authentication with certificates, you need the following components:
The first thing to cover is distributing your certificates. For this, we need a certificate authority that is compatible with your MDM to enable the seamless pushing of certificates without the need of maintaining the infrastructure, we of course recommend using EZCA, you can see a video below on how you can integrate it with Intune, but it works with any MDM that supports SCEP Certificate issuance.
While MDMs cover 99% of devices, there are some users that might be using their personal devices or a device managed by another organization. For that you have two choices, the first is creating a guest network for your non-managed devices, or if you still want them to have access to your corporate network, you’ll have to have a method for them to authenticate and manually get a certificate. In the video bellow you can see a demo of the user experience of getting a certificate in the EZCA portal (If using EZRADIUS you can actually take it to another step and have the user download the full Wi-Fi profile).
Now that we have the certificates issued by a trusted Certificate Authority and distributed to all our devices, we need to set up the network infrastructure to accept the certificates. While you might think that your 5 figure networking gear will have the ability to read certificates, they do not, instead, this is usually done through RADIUS. Adding a RADIUS service allows your network infrastructure to offload the authentication to that service and gives you the ability to set up detailed authorization policies for assigning users to different VLANs. This is the full diagram of how the your network will look like once you have everything set up:
Now that we have the concepts down, you can start your process of automating wifi authentication in Intune, we also have way more details information of each of the steps in our documentation. If you have any questions, or just want to talk to a fellow engineer about your questions feel free to schedule a meeting with one of our identity experts where they can help you understand how it all works together in your specific use case, and answer any other questions you might have about securing wi-fi access for your organization using certificates!
