Forum Discussion
Solved
WiFi WPA2 Enterprise seamless sign-on
WPA2 Enterprise setup in intune requires the on-premise domain-joined NDES server and certificate issued by internal CA. WPA2 Enterprise seamless authentication will not work if the device is not joi...
Forgot to update this.
Short answer: If the computer is only joined to Azure AD, WPA2 Enterprise seamless authentication is not possible.
As of now (March 2019) it is not possible to have seamless (users are not prompted for authentication) WPA2 Enterprise authentication when the computers (Windows 10) are not joined to an on-premise AD (only joined to Azure AD). This is because winlogon credentials contains a cloud user which will not be allowed to authenticate automatically on RADIUS (radius is using the on-premise AD).
Hi Ben Nichols
Can you provide more insight on how you got this to work. I am struggling with radius WIFI auth + Intune.
RonThomasRareworld My current favoured solution is now to use SCEPman https://scepman.com/ for certificate enrolment. This does the roles of a CA, NDES and OCSP server all in a single Azure App Service + Key Vault. Its a very very neat solution and there is a free version available. Use this to distribute certificates to devices (Android, iOS, macOS included) via Intune.
Then create one or more small linux VMs to run freeradius. I configure this to accept only EAP authentication, and do certificate validation via calling openssl to verify the cert against the SECPman root:
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/root.cer -untrusted /etc/freeradius/certs/sub01.cer %{TLS-Client-Cert-Filename}"
HiBen Nichols can you please share your FreeRadius config? I am not very familiar with the setup
Ben Nichols Thanks man. SCEPman is so much simpler to setup. Got that functional no prob. Im a tad bit stuck with FreeRADIUS. Do you simply dump the keys on the server? Sorry a linux noob here.
