How-To: Enable WiFi Entra ID Authentication in Intune

Prerequisites

1. The Keytos Entra ID applications are registered in your tenant
2. You have signed up for an EZRADIUS Plan
3. You are a Subscription Owner or Network Administrator
4. You are an Intune Administrator

How to Enable WiFi Entra ID Authentication in Intune

The following steps will guide you through the process of creating a WiFi profile in Intune that uses Entra ID Password Authentication with EZRADIUS. At a high level, you will need to:

1. Distribute your RADIUS server CA certificate(s) to your devices via Intune.
2. Create a WiFi profile in Intune that uses EAP-TTLS with Entra ID Password Authentication.

How to Distribute Your RADIUS Server CA Certificates in Intune

For your devices to establish a secure connection to the RADIUS server, you need to distribute the RADIUS server’s CA certificate to your devices.

Download Your RADIUS Server CA Certificates

The first step is to download the CA certificate(s) to your local machine. Depending on how you set up your server certificate in EZRADIUS, the steps may vary slightly.

• Auto-Generated Certificate
• EZCA Certificate
• 3rd Party Certificate

Push the CA Certificates to Your Devices via Intune

Now that you have the CA certificate(s) downloaded, the next step is to push them to your devices’ Trusted Store using Intune.

1. Now, go to your Intune portal: https://aka.ms/Intune

2. Click on Devices.

   

3. Select the OS/platform you want to configure. In this case we will select Windows, but the setup is similar for other OS platforms.

4. Click on Configuration Profiles.

   

5. Click on the + Create button at the top of the list, then + New Policy.

   

6. Under “Create a profile”, select:

   • Platform: Windows 10 and later
   • Profile type: Templates
   • Template name: Trusted certificate

7. Fill out the profile Basics:

   • Name: Friendly name for your organization
   • Description: Description for your organization

   

8. Click on Next.

9. Fill in the Configuration settings:

   • Certificate file: Select the CA certificate you downloaded earlier from EZRADIUS (RootCA.cer).
   • Destination store: Select the appropriate store based on the type of CA certificate:
     • Computer certificate store - Root (if a root CA certificate)
     • Computer certificate store - Intermediate (if an intermediate CA certificate).

   

10. Click on Next.

11. Select the users, groups or devices you want to deploy this profile to.

12. Click on Next.

13. Add any Applicability Rules if needed, then click on Next.

14. Click on Create to finish creating the profile.

15. Repeat the above steps if you have both a root CA and an intermediate CA certificate to deploy.

How to Create a WiFi Profile in Intune for Entra ID Password Authentication

Download Your Radius Server Certificate

When setting up an Intune WiFi profile for Entra ID Password Authentication, you will need details from your RADIUS server certificate. You can find these details in your EZRADIUS portal.

1. Log in to your EZRADIUS portal.

2. Navigate to Policies.

3. Select the policy you are using for Entra ID Password Authentication.

4. Scroll down to the Server Certificate section.

5. Click Download Certificate to download the RADIUS server certificate to your local machine. It will have a filename similar to Server.cer.

6. Open the downloaded certificate on your local machine. Note the following details which you will need later.

   • The Subject Common Name (CN)
   • The Subject Alternative Name (SAN)

   

Create a WiFi Profile in Intune

1. Go to your Intune portal: https://aka.ms/Intune

2. Click on Devices

   

3. Select the OS/platform you want to configure. In this case we will select Windows, but the setup is similar for other OS platforms.

4. Click on Configuration Profiles.

   

5. Click on the + Create button at the top of the list.

   

6. Select Windows 10 and later as the platform.

7. Select Templates as the profile type.

8. Select Wi-Fi as the template.

   

9. Click on Create at the bottom of the page.

10. Fill in the Name and Description fields with something meaningful for your organization.

11. Click on Next.

    

12. Enter the following required Configuration settings. Any field not mentioned below can be left as default or set to your organization’s preference:

    • Wi-Fi type: Enterprise
    • Wi-Fi name (SSID): Your Wi-Fi Network SSID (Case Sensitive)
    • Connection name: Friendly name for your users
    • Authentication mode: User (Device is not supported for Entra ID Password authentication)
    • Remember credentials: Yes/No (Based on your preference)
    • Authentication period: 30 seconds is a recommended value we’ve seen work well for most environments.
    • Authentication retry delay: 1 seconds is a recommended value we’ve seen work well for most environments.
    • Maximum authentication failures: 10 is a recommended value we’ve seen work well for most environments.
    • Single sign-on (SSO): Disable
    

13. If your network controller supports Fast Roaming, fill out the Fast Roaming settings section with the following settings:

    • Enable pairwise master key (PMK) caching: Yes
    • Max PMK time stored in cache: We recommend setting this to the maximum (1440 minutes) to improve user experience.
    • Max number of PMKs in cache: We recommend setting this to the maximum (255) to improve user experience.
    • Enable pre-authentication: Yes
    • Max pre-authentication attempts: 10 is a recommended value we’ve seen work well for most environments.
    

14. Fill out the Server Trust section with the following settings:

    • EAP type: EAP-TTLS
    • Certificate server names: Enter the CN and SAN values from your RADIUS server certificate that you noted earlier. Remove CN=, DNS Name=, and IP Address= prefixes when entering the values.
    • Root Certificates for server validation: Click on “+ Select one or more certificate profiles” and select the CA certificate profile(s) you created earlier to distribute your RADIUS server CA certificate(s).

    

15. Fill out the Client Authentication section with the following settings:

    • Authentication Method: Username and Password
    • Non-EAP method (Inner method): Unencrypted Password (PAP) (Don’t worry the password is encrypted by the EAP-TTLS tunnel, it is not sent unencrypted over the air)
    

16. Click on Next.

17. Select the users, groups or devices you want to deploy this profile to and click Next.

18. Add any applicability rules if needed, then click on Next.

19. Review your settings and click on Create.

20. Done! Your WiFi profile is now created and will be pushed to your devices. Once the profile is applied, users will be able to connect to the WiFi network using their Entra ID credentials.

How to Test the WiFi Entra ID Password Authentication Setup

Now that you have created and deployed the WiFi profile, it’s important to test the setup to ensure everything is functioning correctly. Follow these steps to test your WiFi profile with Entra ID Password Authentication:

1. Begin on a device that is targeted by the Intune WiFi profile you created.

2. Force a sync with Intune to ensure the latest profiles are applied. You can do this by going to Settings > Accounts > Access work or school, selecting your work account, and clicking on Sync.

3. Once the sync is complete, check that the WiFi profile has been applied by going to Settings > Network & Internet > Wi-Fi > Manage known networks. You should see the SSID you configured in the list.

4. Attempt to connect to the WiFi network using your Entra ID credentials (username and password).

5. If you are unable to connect, refer to our troubleshooting guide.

   🔎 Entra ID Troubleshooting Guide