Contact Us

Wi-Fi Authentication with Intune Conditional Access

How to setup Conditional Access To The Network With Microsoft 365
14 Dec 2024

How To Authenticate to Wi-Fi with Entra ID and Conditional Access

If you are reading this blog, you probably got assigned the task to protect your organization’s Wi-Fi network with Entra ID and/or Conditional Access. While I wish I could tell you “Just click here and you are done”, the reality is that setting up Wi-Fi authentication with Entra ID and Conditional Access is a bit more complicated than that. The reason for this is: Entra ID doesn’t speak network authentication and network authentication doesn’t speak Entra ID. To bridge this gap, you need a Cloud RADIUS service that can speak both languages. In this blog, we will cover how you can set up Wi-Fi authentication with Entra ID and Conditional Access.

How To Setup Network Authentication With SSO Entra ID

Your next hunch is going to be: well we have entra ID, while this would be ideal, this is not supported by most popular network providers because you would need internet to be able to get to the portal to authenticate to the network. Instead we are going to use Cloud RADIUS, which while it does support RADIUS Entra ID Authentication with username and password, we strongly recommend using certificates for authentication. The main two reasons for using certificates are: 1. It is more secure, as the user doesn’t have to remember a password and 2. It is more user-friendly, as the user doesn’t have to do anything to authenticate to the network it just magically works. For this to work, you have to have your Intune Device certificates, and an EZRADIUS instance. I will leave a video below that shows how to set up certificate based authentication with EZRADIUS and it even goes into how you can setup the your Azure Cloud PKI to issue the certificates.

What Conditional Access Policies Can I Set Up for Wi-Fi Authentication

As mentioned before, we are going to use Cloud RADIUS and there is no way of doing SSO, meaning that not all your Conditional Access policies will work. However, Since in this example we will be using Device Certificates (How To Create Device SCEP Certificates in Intune), You can use the Device Compliance policies to check if the device is compliant before allowing it to connect to the network. This is a great way to ensure that only devices that are compliant with your security policies can connect to your network. This means that if a device has a valid certificate, but let’s say the your Intune device compliance policy requires for it to run antivirus every 24 hours, if the device doesn’t meet this requirement, it will not be able to connect to the network.

Intune Device Compliance Policy for Network Authentication

How To Set Up Conditional Access Policies for Wi-Fi Authentication in EZRADIUS

To Enable Conditional Access Policies for Wi-Fi Authentication, it is as simple as setting the Access Policy with Intune Certificates (The one that uses device authentication) and ensure that you have set it to 1. “Match Certificate with Entra ID”, 2. Select the certificate type as “Device”, 3. Enter the location of where in the certificate you set the Entra Intune Device ID field and 4. Set the policy for check device compliance in Intune. Note: We recommend having a “Catch all” policy at the bottom that puts devices in a different VLAN if they don’t meet the compliance requirements. This will allow the device to be in a restricted network where it can access the internet and get “Compliant” before being able to access the network. EZRADIUS Conditional Access Policy for Wi-Fi Authentication with Intune Device compliance

How To Connect RADIUS Service to Network Infrastructure

If you want to get started with Cloud RADIUS, you can check out our RADIUS documentation. If you have any questions, feel free to schedule a meeting with one of our identity experts where one of our engineers can help you understand how EZRADIUS will work for your specific use case, and answer any other questions you might have about securing wi-fi access for your organization using certificates!

You Might Also Want to Read