How to Enable WiFi Certificate Authentication in Intune

Prerequisites

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator
  4. Being an MDM Administrator.

How to Enable WiFi Certificate Authentication in Intune

This guide assumes that you have already setup your trusted certificate authority and SCEP profiles in your Intune portal. If you have not done so, please follow the guide on how to create Intune Trusted Certificates and SCEP profiles, or watch this 5 minute video where we guide you through the whole process.

  1. Go to your Intune portal: https://aka.ms/Intune
  2. Click on Devices. Intune Devices
  3. Select the OS you want to configure. In this case we will select Windows, but the setup is similar for other OS.
  4. Click on Configuration Profiles. Intune Configuration Profiles
  5. Click on the “Create” Button at the top of the list. Intune Create Configuration Profile
  6. Select “Windows 10 and later” as the platform.
  7. Select “Templates” as the profile type.
  8. Select “Wi-Fi” as the template. Intune Wi-Fi Template
  9. Click on “Create” at the bottom of the page.
  10. Fill in the “Name” and “Description” fields.
  11. Click on “Next”. Intune Wi-Fi Profile Name
  12. Select “Enterprise” as the Wi-FI type.
  13. Fill in the SSID of your Wi-Fi network (Case sensitive).
  14. Enter the connection name (This is a friendly name for your users).
  15. Select your connection preferences (if you want it to automatically connect when in range, etc.).
  16. Select the authentication mode (User or Machine). This is usually set by how you are issuing the SCEP certificate, either to the user or to the machine.
  17. Select if you want want to cache the user credentials (Not needed for certificate authentication).
  18. Set the authentication period (how long before the authentication fails) to 60 seconds.
  19. Set the authentication retry delay to how many seconds you want to wait before retrying the authentication.
  20. Set the number of maximum authentication attempts.
  21. Set Single Sign-On to “Disable”. Intune Wi-Fi Profile Settings
  22. Leave “Enable pairwise master key (PMK) caching” set as “No”.
  23. Set the EAP type to “EAP-TLS”.
  24. Set the server Root Certificate Name Issuing Certificate that you used to create your RADIUS Server certificate

    If you used the EZRADIUS Automatically generated certificate you can download it from your EZRADIUS Authentication Policy and Upload it as a trusted CA in Intune. Download EZRADIUS Certificate

  25. Set “SCEP Certificate” as the Authentication Method.
  26. Select the SCEP profile you created in the prerequisites (This is the magical part of doing Wi-Fi authentication with certificates in Intune it magically connects and does everything without any input from the user).
  27. Click on “Next”. Intune Wi-Fi Profile EAP-TLS SCEP
  28. Select the users, groups or devices you want to deploy this profile to.
  29. Click on “Next”. Intune Wi-Fi Profile Assignments
  30. Review your settings and click on “Create”. Intune Wi-Fi Profile Review