For your devices to establish a secure connection to the RADIUS server, you need to distribute the RADIUS server’s CA certificate to your devices.

Download Your RADIUS Server CA Certificates

The first step is to download the CA certificate(s) to your local machine. Depending on how you set up your server certificate in EZRADIUS, the steps may vary slightly.

If you used the EZRADIUS auto-generated certificate for your RADIUS server, you’ll just have a single CA certificate to download. Follow these steps:

  1. Log in to your EZRADIUS portal.

  2. Navigate to Policies.

  3. Select the policy you are using for Entra ID Password Authentication.

  4. Scroll down to the Server Certificate section.

  5. Click on the Download CA Certificate button to download the certificate to your local machine. It will have a filename similar to RootCA.cer. Download EZRADIUS CA Certificate

If you used the EZRADIUS EZCA to issue your RADIUS server certificate, you’ll need to download the the CA certificate for your EZCA CA, plus the Root CA certificate, if applicable. Follow these steps:

  1. Log in to your EZCA portal.

  2. Navigate to Certificate Authorities.

  3. Select the CA that issued your RADIUS server certificate.

  4. Click on the View Details button.

  5. Click on the Download Certificate button to download the CA certificate to your local machine. It will have a filename similar to <CA-NAME>.cer.

  6. If your EZCA CA is an intermediate CA, make sure to also download the Root CA certificate by repeating the above steps for the Root CA.

Refer to your PKI documentation to download the CA certificate(s) that issued your RADIUS server certificate. Ensure you have the root CA and any intermediate CA certificates if applicable.

Push the CA Certificates to Your Devices via Intune

Now that you have the CA certificate(s) downloaded, the next step is to push them to your devices’ Trusted Store using Intune.

  1. Now, go to your Intune portal: https://aka.ms/Intune

  2. Click on Devices.

    Intune Devices

  3. Select the OS/platform you want to configure. In this case we will select Windows, but the setup is similar for other OS platforms.

  4. Click on Configuration Profiles.

    Intune Configuration Profiles

  5. Click on the + Create button at the top of the list, then + New Policy.

    Intune Create Configuration Profile

  6. Under “Create a profile”, select:

    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template name: Trusted certificate

  7. Fill out the profile Basics:

    • Name: Friendly name for your organization
    • Description: Description for your organization

    Intune Trusted Certificate Profile Name

  8. Click on Next.

  9. Fill in the Configuration settings:

    • Certificate file: Select the CA certificate you downloaded earlier from EZRADIUS (RootCA.cer).
    • Destination store: Select the appropriate store based on the type of CA certificate:
      • Computer certificate store - Root (if a root CA certificate)
      • Computer certificate store - Intermediate (if an intermediate CA certificate).

    Intune Trusted Certificate Profile Settings

  10. Click on Next.

  11. Select the users, groups or devices you want to deploy this profile to.

  12. Click on Next.

  13. Add any Applicability Rules if needed, then click on Next.

  14. Click on Create to finish creating the profile.

  15. Repeat the above steps if you have both a root CA and an intermediate CA certificate to deploy.