How-To: Enable WiFi Certificate Authentication in Intune

In this page we setup Certificate Authentication in Intune. This is the most secure way to setup RADIUS authentication in Intune. It is secure and does not require any passwords.

Prerequisites

  1. The Keytos Entra ID applications are registered in your tenant
  2. You have signed up for an EZRADIUS Plan
  3. You are a Subscription Owner or Network Administrator
  4. You are an Intune Administrator
  5. You have created Intune Trusted Certificates and SCEP profiles to issue certificates to your devices.

How to Enable WiFi Certificate Authentication in Intune - Video Version

How to Enable WiFi Certificate Authentication in Intune

The following steps will guide you through the process of creating a WiFi Profile in Intune that uses EAP-TLS Certificate Authentication via SCEP-issued certificates with EZRADIUS. At a high level, you will need to:

  1. Distribute your RADIUS server CA certificate(s) to your devices via Intune.
  2. Create a WiFi Profile in Intune that uses EAP-TLS with SCEP-issued certificates for authentication.

How to Distribute Your RADIUS Server CA Certificates in Intune

For your devices to establish a secure connection to the RADIUS server, you need to distribute the RADIUS server’s CA certificate to your devices.

Download Your RADIUS Server CA Certificates

The first step is to download the CA certificate(s) to your local machine. Depending on how you set up your server certificate in EZRADIUS, the steps may vary slightly.

If you used the EZRADIUS auto-generated certificate for your RADIUS server, you’ll just have a single CA certificate to download. Follow these steps:

  1. Log in to your EZRADIUS portal.

  2. Navigate to Policies.

  3. Select the policy you are using for Entra ID Password Authentication.

  4. Scroll down to the Server Certificate section.

  5. Click on the Download CA Certificate button to download the certificate to your local machine. It will have a filename similar to RootCA.cer. Download EZRADIUS CA Certificate

If you used the EZRADIUS EZCA to issue your RADIUS server certificate, you’ll need to download the the CA certificate for your EZCA CA, plus the Root CA certificate, if applicable. Follow these steps:

  1. Log in to your EZCA portal.

  2. Navigate to Certificate Authorities.

  3. Select the CA that issued your RADIUS server certificate.

  4. Click on the View Details button.

  5. Click on the Download Certificate button to download the CA certificate to your local machine. It will have a filename similar to <CA-NAME>.cer.

  6. If your EZCA CA is an intermediate CA, make sure to also download the Root CA certificate by repeating the above steps for the Root CA.

Refer to your PKI documentation to download the CA certificate(s) that issued your RADIUS server certificate. Ensure you have the root CA and any intermediate CA certificates if applicable.

Push the CA Certificates to Your Devices via Intune

Now that you have the CA certificate(s) downloaded, the next step is to push them to your devices’ Trusted Store using Intune.

  1. Now, go to your Intune portal: https://aka.ms/Intune

  2. Click on Devices.

    Intune Devices

  3. Select the OS/platform you want to configure. In this case we will select Windows, but the setup is similar for other OS platforms.

  4. Click on Configuration Profiles.

    Intune Configuration Profiles

  5. Click on the + Create button at the top of the list, then + New Policy.

    Intune Create Configuration Profile

  6. Under “Create a profile”, select:

    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template name: Trusted certificate

  7. Fill out the profile Basics:

    • Name: Friendly name for your organization
    • Description: Description for your organization

    Intune Trusted Certificate Profile Name

  8. Click on Next.

  9. Fill in the Configuration settings:

    • Certificate file: Select the CA certificate you downloaded earlier from EZRADIUS (RootCA.cer).
    • Destination store: Select the appropriate store based on the type of CA certificate:
      • Computer certificate store - Root (if a root CA certificate)
      • Computer certificate store - Intermediate (if an intermediate CA certificate).

    Intune Trusted Certificate Profile Settings

  10. Click on Next.

  11. Select the users, groups or devices you want to deploy this profile to.

  12. Click on Next.

  13. Add any Applicability Rules if needed, then click on Next.

  14. Click on Create to finish creating the profile.

  15. Repeat the above steps if you have both a root CA and an intermediate CA certificate to deploy.

How to Create a WiFi Profile in Intune for Certificate Authentication

Download Your Radius Server Certificate

When setting up an Intune WiFi profile for Entra ID Password Authentication, you will need details from your RADIUS server certificate. You can find these details in your EZRADIUS portal.

  1. Log in to your EZRADIUS portal.

  2. Navigate to Policies.

  3. Select the policy you are using for Entra ID Password Authentication.

  4. Scroll down to the Server Certificate section.

  5. Click Download Certificate to download the RADIUS server certificate to your local machine. It will have a filename similar to Server.cer.

  6. Open the downloaded certificate on your local machine. Note the following details which you will need later.

    • The Subject Common Name (CN)
    • The Subject Alternative Name (SAN)

    EZRADIUS Server Certificate Subject value EZRADIUS Server Certificate SAN value

Create a WiFi Profile in Intune

  1. Go to your Intune portal: https://aka.ms/Intune

  2. Click on Devices

    Intune Devices

  3. Select the OS/platform you want to configure. In this case we will select Windows, but the setup is similar for other OS platforms.

  4. Click on Configuration Profiles.

    Intune Configuration Profiles

  5. Click on the + Create button at the top of the list.

    Intune Create Configuration Profile

  6. Select Windows 10 and later as the platform.

  7. Select Templates as the profile type.

  8. Select Wi-Fi as the template.

    Intune Wi-Fi Template

  9. Click on Create at the bottom of the page.

  10. Fill in the Name and Description fields with something meaningful for your organization.

  11. Click on Next.

    Intune Wi-Fi Profile Name

  12. Enter the following required Configuration settings. Any field not mentioned below can be left as default or set to your organization’s preference:

    • Wi-Fi type: Enterprise
    • Wi-Fi name (SSID): Your Wi-Fi Network SSID (Case Sensitive)
    • Connection name: Friendly name for your users
    • Authentication mode: Select the mode based on whether your SCEP certificate is issued to the User or the Device.
    • Remember credentials: Set to No (Not needed for certificate authentication).
    • Authentication period: 30 seconds is a recommended value we’ve seen work well for most environments.
    • Authentication retry delay: 1 second is a recommended value we’ve seen work well for most environments.
    • Maximum authentication failures: 10 is a recommended value we’ve seen work well for most environments.
    • Single sign-on (SSO): Disable
    Intune Wi-Fi Profile Basic Settings

  13. If your network controller supports Fast Roaming, fill out the Fast Roaming settings section with the following settings:

    • Enable pairwise master key (PMK) caching: Yes
    • Max PMK time stored in cache: We recommend setting this to the maximum (1440 minutes) to improve user experience.
    • Max number of PMKs in cache: We recommend setting this to the maximum (255) to improve user experience.
    • Enable pre-authentication: Yes
    • Max pre-authentication attempts: 10 is a recommended value we’ve seen work well for most environments.
    Intune Wi-Fi Profile Fast Roaming Settings

  14. Fill out the Server Trust section with the following settings:

    • EAP type: EAP-TLS
    • Certificate server names: Enter the CN and SAN values from your RADIUS server certificate that you noted earlier. Remove CN=, DNS Name=, and IP Address= prefixes when entering the values.
    • Root Certificates for server validation: Click on “+ Select one or more certificate profiles” and select the CA certificate profile(s) you created earlier to distribute your RADIUS server CA certificate(s).

    What is Server Trust in Intune Wi-Fi Policy

  15. Fill out the Client Authentication section with the following settings:

    • Authentication Method: SCEP Certificate
    • Client certificate for client authentication: Select the SCEP profile you use to issue certificates to your devices.

    Intune Wi-Fi Profile EAP-TLS SCEP

  16. Click on Next.

  17. Select the users, groups or devices you want to deploy this profile to and click Next. Intune Wi-Fi Profile Assignments

  18. Add any applicability rules if needed, then click on Next.

  19. Review your settings and click on Create. Intune Wi-Fi Profile Review

  20. Done! Your WiFi profile is now created and will be pushed to your devices. Once the profile is applied, users will be able to connect to the WiFi network using their SCEP-issued certificates.

How to Test the WiFi Certificate Authentication Setup

Now that you have created and deployed the WiFi profile, it’s important to test the setup to ensure everything is functioning correctly. Follow these steps to test your WiFi profile with Certificate Authentication:

  1. Begin on a device that is targeted by the Intune WiFi profile you created.

  2. Force a sync with Intune to ensure the latest profiles are applied. You can do this by going to Settings > Accounts > Access work or school, selecting your work account, and clicking on Sync.

  3. Once the sync is complete, check that the WiFi profile has been applied by going to Settings > Network & Internet > Wi-Fi > Manage known networks. You should see the SSID you configured in the list.

  4. If you use User-based certificate authentication, attempt to connect to the WiFi network. You should be connected without being prompted for a username or password. If you use Device-based certificates, the device should connect automatically without user interaction. You may need to restart the device to trigger the connection.

  5. If you are unable to connect, refer to our troubleshooting guide.

    🔎 Troubleshooting Guide