SOLVED
Home

WiFi WPA2 Enterprise seamless sign-on

%3CLINGO-SUB%20id%3D%22lingo-sub-298885%22%20slang%3D%22en-US%22%3EWiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298885%22%20slang%3D%22en-US%22%3E%3CP%3EWPA2%20Enterprise%20setup%20in%20intune%20requires%20the%20on-premise%20domain-joined%20NDES%20server%20and%20certificate%20issued%20by%20internal%20CA.%20WPA2%20Enterprise%20seamless%20authentication%20will%20not%20work%20if%20the%20device%20is%20not%20joined%20to%20the%20on-premise%20AD.%20By%20seamless%2C%20we%20mean%20that%20users%20are%26nbsp%3Bnot%20prompted%20for%20authentication.%20How%26nbsp%3Bdo%20we%20enable%20seamless%26nbsp%3BWPA2%26nbsp%3BEnterprise%20authentication%20for%20Azure%20AD%20joined%20Windows%2010%20computers%20(computers%20which%20are%20only%20joined%20to%20Azure%20AD%2C%20not%20hybrid)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-298885%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364051%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364051%22%20slang%3D%22en-US%22%3E%3CP%3EForgot%20to%20update%20this.%3C%2FP%3E%3CP%3E%3CSTRONG%3EShort%20answer%3A%3C%2FSTRONG%3E%20If%20the%20computer%20is%20only%20joined%20to%20Azure%20AD%2C%20WPA2%20Enterprise%20seamless%20authentication%20is%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20of%20now%20(March%202019)%20it%20is%20not%20possible%20to%20have%20seamless%20(%3CSPAN%3Eusers%20are%26nbsp%3Bnot%20prompted%20for%20authentication%3C%2FSPAN%3E)%20WPA2%20Enterprise%20authentication%20when%20the%20computers%20(Windows%2010)%20are%20not%20joined%20to%20an%20on-premise%20AD%20(only%20joined%20to%20Azure%20AD).%20This%20is%20because%20winlogon%20credentials%20contains%20a%20cloud%20user%20which%20will%20not%20be%20allowed%20to%20authenticate%20automatically%20on%20RADIUS%20(radius%20is%20using%20the%20on-premise%20AD).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309766%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309766%22%20slang%3D%22en-US%22%3EPlease%20keep%20us%20posted.%26nbsp%3B%20I'd%20be%20interested%20to%20know%20if%20you%20make%20any%20headway%20with%20Microsoft%20as%20I%20have%20a%20case%20open%20with%20them%20for%20a%20similar%20issue%20on%20iOS.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308790%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308790%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20registered%20a%20case%20with%20Microsoft%2C%20looks%20like%20there%20are%20some%20issues%20with%20intune%20in%20our%20tenant.%20Wifi%20profiles%26nbsp%3Bfails%20to%20apply.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302117%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302117%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20might%20also%20want%20to%20follow%20this%20thread%3B%20sounds%20like%20a%20similar%20problem%20to%20yours.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Intune%2FDevices-not-connecting-to-WPA2-Enterprise-EAP-TLS-wireless%2Fm-p%2F295342%23M1199%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Intune%2FDevices-not-connecting-to-WPA2-Enterprise-EAP-TLS-wireless%2Fm-p%2F295342%23M1199%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301987%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301987%22%20slang%3D%22en-US%22%3E%3CP%3EAh%20I%20see.%20In%20that%20case%2C%20NDES%20should%20hand%20out%20the%20client%20certificate%20to%20your%20Azure%20AD%20joined%20computer.%20And%20then%20you%20will%20need%20to%20make%20sure%20the%20Azure%20AD%20joined%20computer%20has%20the%20root%20certificate%20as%20well.%20Have%20you%20confirmed%20that%20NDES%20is%20handing%20out%20the%20client%20certificate%20and%20that%20the%20root%20certificate%20is%20being%20deployed%20to%20your%20computers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298921%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298921%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20response.%20We%20have%20seen%20this%20article.%20But%20it%20doesn't%20discuss%20expected%20behaviour%20for%20Azure%20AD%20joined%20computers%20(not%20hybrid).%20Our%20goal%20is%20to%26nbsp%3Benable%20seamless%20WPA2%20Enterprise%20authentication%20for%20only%20Azure%20AD%20joined%20computers%20(not%20hybrid).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298914%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298914%22%20slang%3D%22en-US%22%3EI%20have%20not%20tried%20this%20personally%2C%20but%20I%20would%20think%20you%20would%20have%20to%20follow%20this%20article%20to%20ensure%20Azure%20AD%20joined%20devices%20are%20cared%20for.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-cert%23configure-network-device-enrollment-services-to-work-with-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-hybrid-aadj-sso-cert%23configure-network-device-enrollment-services-to-work-with-microsoft-intune%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-481092%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-481092%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%20with%20everyone.%20Where%20you%20able%20to%20discuss%20the%20scenarie%20if%20user%20is%20hybrid%20and%20device%20is%20cloud%20only%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244709%22%20target%3D%22_blank%22%3E%40rajeshkhanikar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-615892%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615892%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244709%22%20target%3D%22_blank%22%3E%40rajeshkhanikar%3C%2FA%3EBut%20what%20about%20doing%20device%20level%20authentication%3F%20I%20presume%20the%20device%20will%20be%20able%20to%20enrol%20via%20NDES%20for%20a%20certificate%20and%20then%20authenticate%20via%20802.1x%20at%20a%20machine%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-684881%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-684881%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20made%20this%20work.%20CA%20%2B%20NDES%20with%20Intune%20SCEP%20enrolment%20policy%20to%20issue%20user%20certificates.%20Intune%20WiFi%20profile%20for%20EAP-TLS%20authentication%20and%20finally%20a%20FreeRadius%20Linux%20RADIUS%20server%20to%20do%20the%20authenitcation.%20This%20%3CSTRONG%3Eis%3C%2FSTRONG%3E%20seamless.%20You%20cant%20use%20NPS%20as%20the%20RADIUS%20server%2C%20as%20that%20always%20attempt%20to%20authenticate%20to%20AD%20(requiring%20domain%20join%20or%20a%20nasty%20manual%20certificate%20mapping%20setup).%20FreeRadius%20can%20be%20configured%20to%20just%20validate%20the%20client%20certificate%20only.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686367%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686367%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29726%22%20target%3D%22_blank%22%3E%40Ben%20Nichols%3C%2FA%3E%26nbsp%3BYes%2C%20certificate%20based%20authentication%20is%20an%20option.%20In%20our%20case%20requirement%20was%20to%20use%20only%20Azure%20AD%2C%20without%20any%20on-premise%20servers%20(no%20federated%20AD)%20or%20VMs%20on%20cloud.%20Using%20only%20Azure%20AD%2C%20cloud%20only%20users%2C%20currently%20it%20is%20not%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686707%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244709%22%20target%3D%22_blank%22%3E%40rajeshkhanikar%3C%2FA%3EThat%20sounds%20about%20right.%20I%20have%20achieved%20it%20with%20no%20on-prem%20servers%2C%20and%20just%203%20small%20Azure%20VMs%20(CA%2C%20NDES%20and%20RADIUS%20servers)%20using%20EAP-TLS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20possibly%20be%20able%20to%20also%20achieve%20it%20using%20Azure%20Directory%20Services%20(to%20give%20you%20a%20LDAP%20endpoint)%20and%20one%20RADIUS%20server%20with%20EAP-TTLS%20with%20MSCHAPv2.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-888370%22%20slang%3D%22en-US%22%3ERe%3A%20WiFi%20WPA2%20Enterprise%20seamless%20sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-888370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29726%22%20target%3D%22_blank%22%3E%40Ben%20Nichols%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENicely%20done%2C%20I'm%20setting%20up%20something%20similar%20for%20our%20customers.%20Would%20you%20mind%20sharing%20the%20freeradius%20conf%20files%3F%20I'd%20love%20to%20see%20which%20approach%20you've%20used%20to%20make%20it%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E
rajeshkhanikar
Occasional Contributor

WPA2 Enterprise setup in intune requires the on-premise domain-joined NDES server and certificate issued by internal CA. WPA2 Enterprise seamless authentication will not work if the device is not joined to the on-premise AD. By seamless, we mean that users are not prompted for authentication. How do we enable seamless WPA2 Enterprise authentication for Azure AD joined Windows 10 computers (computers which are only joined to Azure AD, not hybrid)?

13 Replies
I have not tried this personally, but I would think you would have to follow this article to ensure Azure AD joined devices are cared for.

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...

Thanks for your response. We have seen this article. But it doesn't discuss expected behaviour for Azure AD joined computers (not hybrid). Our goal is to enable seamless WPA2 Enterprise authentication for only Azure AD joined computers (not hybrid).

Ah I see. In that case, NDES should hand out the client certificate to your Azure AD joined computer. And then you will need to make sure the Azure AD joined computer has the root certificate as well. Have you confirmed that NDES is handing out the client certificate and that the root certificate is being deployed to your computers?

You might also want to follow this thread; sounds like a similar problem to yours.

 

https://techcommunity.microsoft.com/t5/Microsoft-Intune/Devices-not-connecting-to-WPA2-Enterprise-EA...

We have registered a case with Microsoft, looks like there are some issues with intune in our tenant. Wifi profiles fails to apply.

Please keep us posted.  I'd be interested to know if you make any headway with Microsoft as I have a case open with them for a similar issue on iOS.
Solution

Forgot to update this.

Short answer: If the computer is only joined to Azure AD, WPA2 Enterprise seamless authentication is not possible.

 

As of now (March 2019) it is not possible to have seamless (users are not prompted for authentication) WPA2 Enterprise authentication when the computers (Windows 10) are not joined to an on-premise AD (only joined to Azure AD). This is because winlogon credentials contains a cloud user which will not be allowed to authenticate automatically on RADIUS (radius is using the on-premise AD).

Thanks for sharing with everyone. Where you able to discuss the scenarie if user is hybrid and device is cloud only? @rajeshkhanikar 

@rajeshkhanikarBut what about doing device level authentication? I presume the device will be able to enrol via NDES for a certificate and then authenticate via 802.1x at a machine level.

I have made this work. CA + NDES with Intune SCEP enrolment policy to issue user certificates. Intune WiFi profile for EAP-TLS authentication and finally a FreeRadius Linux RADIUS server to do the authenitcation. This is seamless. You cant use NPS as the RADIUS server, as that always attempt to authenticate to AD (requiring domain join or a nasty manual certificate mapping setup). FreeRadius can be configured to just validate the client certificate only.

@Ben Nichols Yes, certificate based authentication is an option. In our case requirement was to use only Azure AD, without any on-premise servers (no federated AD) or VMs on cloud. Using only Azure AD, cloud only users, currently it is not possible.

@rajeshkhanikarThat sounds about right. I have achieved it with no on-prem servers, and just 3 small Azure VMs (CA, NDES and RADIUS servers) using EAP-TLS.

 

You might possibly be able to also achieve it using Azure Directory Services (to give you a LDAP endpoint) and one RADIUS server with EAP-TTLS with MSCHAPv2.

@Ben Nichols 

 

Nicely done, I'm setting up something similar for our customers. Would you mind sharing the freeradius conf files? I'd love to see which approach you've used to make it work.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies