Forum Discussion
Intune Standalone Device-Based Certificate Issue
my client is receiving device cert but could not connect to wifi, which I deploy to client using WiFi profile. It seems that WiFI profile + NPS is trying to use still user based cert.
It seems that I set everything correct
The only thing I don't understand this setting:
Server Trust
Certificate server names: Use with EAP-TLS, EAP-TTLS, or PEAP EAP types. Enter one or more common names used in the certificates issued by your trusted certificate authority (CA). If you enter this information, you can bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi network.
What should I set here?
//Alexander
Just put in there your Certificate Authority common name like myca.mycompany.com. The setting defines the Server Trust so that the profile knows all certificates from this CA with the name specified can be trusted and therefore no additional popups are shown.
alexander tikhomirov I'm facing the same issue. Have installed NDES with SCEP and device certificates are deployed. Deployed Enterprise Wifi in Intune with EAP TLS, rootCA, device certificate authentication.
On NPS we create network policy with smart card/certificate EAP type but we cant get connection to the wifi ssid. Looks like its not using the cert or something.
- I think at this moment it is not possible and talk with MS Support confirmed this for me
Hi alexander tikhomirov ,
I am in exactly the same scenario as you. Device and User certificates both deployed successfully but Wireless authentication only works with the user certificates.
Were you ever able to confirm if this is even possible to authenticate AAD joined devices to wireless networks using device certs?
alexander tikhomirov ah good point I'm not deep enough into NPS, there might be a limitation here...
Oliver Kieselbach thanks for article, but users based certs used in their solution
"For a more immersive experience, machine certificates are preferred for use, subject to their availability in Intune"
Hey alexander tikhomirov,
don't think this is the case, AADJ can be used in the scenario. There are blogs out there which are showing successful implementation of this scenario, like this one: https://blog.auth360.net/2018/10/12/windows-10-password-less-azure-ad-join-microsoft-intune-and-windows-hello-for-business/
best,
Oliver
- Incidentally, ours are iOS devices so a somewhat different use case.
Our issue miraculously disappeared after having the case open (with no activity) with Microsoft for over a month.
However, it mysteriously resurfaced a few weeks ago. I've been dealing with other issues so haven't revisited it to investigate further but will do so once I have some availability and report back any findings.
- As I understand correctly Windows NPS server (as a RADIUS) cant auth Azure AD joined device to Access Point even device-based cert was deployed to client because NPS could only check trusts for domain-joined computers, not for only Azure AD Joined devices.
Hi, did you manage to work this approach?
This has proven to be a royal pain for me the past week because the Microsoft documentation at https://docs.microsoft.com/en-us/intune/wi-fi-settings-ios is a bit ambiguous where it describes Server Trust - Certificate server names.
It states, "Add one or more common names used in the certificates issued by your trusted certificate authority (CA)." This sounds as if it's implying entering the common names of the clients device certificates, e.g. *.domain.com.
It's not clear whether this means the root CA common name, the root CA common.domain.com, the common name of the CA that issued the device certs, the common name of the CA that the issued the server certificate or the latter two with the domain suffix.
Furthermore, does this need to match with the certificate selected under Root certificate for server validation or should I enter the common name for the CA that issued the server's cert in Certificate server names whilst selecting the root CA cert under Root certificate for server validation?
I'm about to eat my hand.... grrrr... :-D
- before logon auto connection to WiFi doesn't happen, it says there is no cert but I have user cert and device cert. After logged WiFi profile connects successfully to WiFi using as I understand user cert even in WiFi profile settings on Intune portal I choose for it device SCEP policy.
Is it possible to have auto connection to WiFi before user login using device based cert what I am trying to achieve but fails?
//Alexander
