How to Enable WiFi Entra ID Authentication in Intune

Prerequisites

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator
  4. Being an MDM Administrator.

How to Enable WiFi Entra ID Authentication in Intune

  1. Go to your Intune portal: https://aka.ms/Intune
  2. Click on Devices. Intune Devices
  3. Select the OS you want to configure. In this case we will select Windows, but the setup is similar for other OS.
  4. Click on Configuration Profiles. Intune Configuration Profiles
  5. Click on the “Create” Button at the top of the list. Intune Create Configuration Profile
  6. Select “Windows 10 and later” as the platform.
  7. Select “Templates” as the profile type.
  8. Select “Wi-Fi” as the template. Intune Wi-Fi Template
  9. Click on “Create” at the bottom of the page.
  10. Fill in the “Name” and “Description” fields.
  11. Click on “Next”. Intune Wi-Fi Profile Name
  12. Select “Enterprise” as the Wi-FI type.
  13. Fill in the SSID of your Wi-Fi network (Case sensitive).
  14. Enter the connection name (This is a friendly name for your users).
  15. Select your connection preferences (if you want it to automatically connect when in range, etc.).
  16. Select the authentication mode as user.
  17. Select if you want want to cache the user credentials.
  18. Set the authentication period (how long before the authentication fails) to 60 seconds.
  19. Set the authentication retry delay to how many seconds you want to wait before retrying the authentication.
  20. Set the number of maximum authentication attempts.
  21. Set Single Sign-On to “Disable”. Intune Wi-Fi Profile Settings for Entra ID
  22. Leave “Enable pairwise master key (PMK) caching” set as “No”.
  23. Set the EAP type to “EAP-TTLS”.
  24. For “Server Trust” we have to enter the values of the certificate, these are:
    1. The IP addresses of your RADIUS instance (All of them even if you are only using one)
    2. The CN of the certificate (which you can get from your EZRADIUS Policy and while you are there download the Root Certificate for Server validation, we will need it for the next step). Download EZRADIUS Certificate
  25. Then for “Root Certificates for Server validation” You have to use the certificate Authority (if it is a 2 tier PKI, I recommend uploading both CAs here since some OS do the validation differently) that created your RADIUS Server certificate. If you used the EZRADIUS Automatically generated certificate you can download it from your EZRADIUS Authentication Policy and Upload it as a trusted CA in Intune. This is how your policy should look like: What is Server Trust in Intune Wi-Fi Policy
  26. Set “Username and Password” as the Authentication Method.
  27. Set Unencrypted Password (PAP) as the Inner Authentication Method (Don’t worry the password is encrypted by the EAP-TTLS tunnel, it is not sent unencrypted over the air).
  28. Click on “Next”. Intune Wi-Fi Profile EAP-TTLS For Entra ID
  29. Select the users, groups or devices you want to deploy this profile to.
  30. Click on “Next”. Intune Wi-Fi Profile Assignments
  31. Review your settings and click on “Create”. Intune Wi-Fi Profile Review