Hi - I am interested in deploying the cloud PKI infrastructure for Intune to a customer who uses cloud only Windows devices but wishes to authenticate their Wi-Fi and VPN using certificates from the computers and users.
https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment
The VPN accesses a few servers in an AzureAD DS or in a legacy AD lifted to run on Azure cloud machines. They have no legacy Certificate Authority and as a small company of between 20 and 50 users and client workstations, cannot afford third party solutions for RADIUS which are all the instructions I find when searching the web for practical step by step implementation instructions like this from Oliver Kieselbach:
https://oliverkieselbach.com/2024/03/04/how-to-configure-cloud-pki-certificate-based-wifi-with-intune/
My issue when reading through the Microsoft learning documentation I find that it wants another separate PKI or CA service is needed (or a certificate from the third party Radius service?) - I thought that was they whole point of the Cloud PKI service - not to have to have another one?
"When connecting to a relying party such as a Wi-Fi access point or VPN server, an SSL/TLS connection is first established by the managed Intune device when attempting to connect. Microsoft Cloud PKI doesn't provide these TLS/SSL certificates. You must obtain these certificates through another PKI or CA service."
From:
https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment#ensure-chain-of-trust
Can you help me with this as I don't understand why the cloud PKI alone would not be sufficient to provide the Root and intermediate root certs exported and uploaded to the VPN gateway/firewall and the network access point controllers for Wi-Fi when combined perhaps with the Microsoft cloud NPS extension service, but then again that also needs an on prem AD with Radius server and presumably a CA server?
https://learn.microsoft.com/en-us/entra/architecture/auth-radius
I am happy to use SAML and SSO in Entra for the VPN which may negate the requirement for RADIUS and NPS, but how would that work for Wi-Fi? Is that also possible?