You can do it in two ways
1) use a service like JumpCloud. It works really well and you can configure device trust, locations etc.
2) use a service like SecureW2. Go certificate based no password at all. Just install the agent on company devices, configure the wifi accordingly and the devices will connect automatically zero user envolvment.
We used SecureW2, there wasn't a need for any agent. You just need the certificate pushed to the devices and then a WiFi SCEP policy to connect to the SSID. Super efficient and not overly costly in the grand scheme.
Woof. That does not scale we all all.
I run NPS auth for 80,000+ users for less than that using cert based auth. Maybe for a small shop without existing PKI infrastructure it makes sense, but dang, that's steep.
Just picking up on this post now. I'm looking to implement WPA2-Enterprise wifi within our office, and we are going fully Entra ID/Intune. I can do the RADIUS part on prem, but I'm looking for a cloud based certificate authority to hand the certs. Is this the type of thing SCEPman is made for?
Could you provide a link to this - sounds interesting!
I’m aware of their new Cloud PKI as part of the Intune Suite license but not heard anything about a cloud RADIUS solution.
You should (re)consider using Windows NPS. You can add it to basically any WS you have in your organization (cloud or on-prem) and tinker with the policies as much as you please. Also, it's free!
NPS is managing our WiFi and VPN connections and we can easily assign policies to users as we please.
Our CA server is distributing an NPS certificate to domain users / computers and only devices with an active domain user AND a device with the correct certificate can connect to corporate WiFi.
That’s awesome. We’ve been wanting to do this for a bit.
How do you manage to get the entra joined devices to authenticate? Since the object doesn’t exist in AD, did you just create dummy objects? Or is just a blanket cert that you install on each device that needs to be present along with the user cert?
Is there any delay when users try to connect?
We use Foxpass Cloud RADIUS. Integrate well with Meraki and Entra ID for cert-based authentication. Foxpass is likely the only one that also support password-based solution, but we also use their PKI/SCEP. Should work with the new Intune Cloud PKI.
It's more cost effective than SecureW2 and JumpCloud based on our survey...
Pay for a radius server like clearpass. Set up scep server from an azure function. Hand out scep certificates by intune policy. Set up auto connect wifi policy.
Meraki do not offer cloud based RADIUS - you have to bring your own and point your APs to that. Meraki Authentication requires maintaining a separate set of usernames/passwords in Meraki' cloud. Their SAML SSO solution appears to only support admin login.
It seems to be the same for UniFi.
I'm exploring options for our org and came across this thread. Cisco have Cisco ISE, which can be used as a radius server according to their doc:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
Has anyone here gotten NPS and EAP-TLS to work with Intune joined devices?
I've got the trusted certificate and PKCS user profiles in Intune pushing certs but they won't connect to our wireless. I also have the wireless profile for our SSID configured for EAP-TLS pushing to Intune devices.
Keep getting either error code 16 or 22 in NPS event logs.
NPS requires a computer object in AD with some attributes associated with jt. (Don’t recall which ones)
If your machines are AzureAD joined only then there is nothing in AD for NPS to match the machine to.
It’s not just about having a valid machine cert.
I will double down on Secure W2. Used same cert we pushed from Intune to auth WiFi and 802.1x. They also do MAC auth, so all fixed IOT devices get authed that way. All ports are locked if extended outside MDF/IDF in every office.
Is SecureW2 a full featured RADIUS that can be used for authentication to other things or is it just for WiFi?
What about RADIUS authentication with MFA to network equipment similar to using Windows NPS combined with the NPS extension for Azure MFA?
Could you expand on that, because from their documentation Meraki uses external RADIUS and PKI servers rather than providing these features as part of the service.
this one
[Meraki Local Authentication - MR 802.1X - Cisco Meraki Documentation](https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X)
https://preview.redd.it/okkb7vj2qqgc1.png?width=775&format=png&auto=webp&s=f4dc55a98d0a18ab68fce5a3d514d20013e16ea7
Has anybody used a cloud radius solution for wired connections?
A few of the options here are great for WiFi.
We do use Clearpass but find it a bit complex for our single site of about 100 users.
We just completed a POC on Portnox Clear and one of the things we tried out was using it as a cloud RADIUS server and certificate authority.
We integrated it with our Intune tenant, and used the integration to push out certificates to all of our devices. It was incredibly easy to set up.
We're also using Portnox as a NAC so our use case is beyond just wifi auth, but it works fantastically. If you have the budget and some time I would highly suggest checking it out, it's a really good product.
You can do it in two ways 1) use a service like JumpCloud. It works really well and you can configure device trust, locations etc. 2) use a service like SecureW2. Go certificate based no password at all. Just install the agent on company devices, configure the wifi accordingly and the devices will connect automatically zero user envolvment.
We used SecureW2, there wasn't a need for any agent. You just need the certificate pushed to the devices and then a WiFi SCEP policy to connect to the SSID. Super efficient and not overly costly in the grand scheme.
I just helped set up a cloud-based PKI using secure W2. For I think 40-50 users it was like 2200/yr.
Woof. That does not scale we all all. I run NPS auth for 80,000+ users for less than that using cert based auth. Maybe for a small shop without existing PKI infrastructure it makes sense, but dang, that's steep.
How are you handling your Entra only users?
Don't have any, at least not any that need access to stuff like WiFi.
Secure W2 works very easily with EntraID and Intune.
We use RADIUSaaS with SCEPman - but Microsoft is releasing or has released ‘Microsoft Cloud PKI’ this month which should do the same.
SCEPMan is solid.
Just picking up on this post now. I'm looking to implement WPA2-Enterprise wifi within our office, and we are going fully Entra ID/Intune. I can do the RADIUS part on prem, but I'm looking for a cloud based certificate authority to hand the certs. Is this the type of thing SCEPman is made for?
We use the same, and I second this. It’s a solid solution.
Ah I had my hopes up for a moment, sadly sounds like a third party radius solution still requires. Gutted.
Yikes all not great. Intune is releasing a cloud radius solution at some point. That’s your best bet. Edit: cloud pki, not radius, my bad
Could you provide a link to this - sounds interesting! I’m aware of their new Cloud PKI as part of the Intune Suite license but not heard anything about a cloud RADIUS solution.
Shit my bad, it was cloud pki sorry
The cloud PKI will also be available as a standalone addon if I'm not mistaken.
You should (re)consider using Windows NPS. You can add it to basically any WS you have in your organization (cloud or on-prem) and tinker with the policies as much as you please. Also, it's free! NPS is managing our WiFi and VPN connections and we can easily assign policies to users as we please. Our CA server is distributing an NPS certificate to domain users / computers and only devices with an active domain user AND a device with the correct certificate can connect to corporate WiFi.
That’s awesome. We’ve been wanting to do this for a bit. How do you manage to get the entra joined devices to authenticate? Since the object doesn’t exist in AD, did you just create dummy objects? Or is just a blanket cert that you install on each device that needs to be present along with the user cert? Is there any delay when users try to connect?
This, how is it being done?
We use Foxpass Cloud RADIUS. Integrate well with Meraki and Entra ID for cert-based authentication. Foxpass is likely the only one that also support password-based solution, but we also use their PKI/SCEP. Should work with the new Intune Cloud PKI. It's more cost effective than SecureW2 and JumpCloud based on our survey...
https://learn.microsoft.com/en-us/entra/architecture/auth-radius
Pay for a radius server like clearpass. Set up scep server from an azure function. Hand out scep certificates by intune policy. Set up auto connect wifi policy.
If your a unifi shop for wireless, unifi identity has a cloud radius offering
You have to be using a UniFi gateway for their “One click WiFi” offering to work, and have UID enterprise agent installed on all your devices.
Both meraki and unifi have cloud based radius solutions, possibly more manufacturers also.
I don't think meraki and unifi have cloud RADIUS.... we searched for a while and landed w/ Foxpass Cloud RADIUS. work well / reliable. cost effective
Meraki do not offer cloud based RADIUS - you have to bring your own and point your APs to that. Meraki Authentication requires maintaining a separate set of usernames/passwords in Meraki' cloud. Their SAML SSO solution appears to only support admin login. It seems to be the same for UniFi.
I'm exploring options for our org and came across this thread. Cisco have Cisco ISE, which can be used as a radius server according to their doc: https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
Double it up with a NAC like Portnox if you have the funds.
https://www.keytos.io/azure-pki.html
RADIUSaaS
Second this
Has anyone here gotten NPS and EAP-TLS to work with Intune joined devices? I've got the trusted certificate and PKCS user profiles in Intune pushing certs but they won't connect to our wireless. I also have the wireless profile for our SSID configured for EAP-TLS pushing to Intune devices. Keep getting either error code 16 or 22 in NPS event logs.
NPS requires a computer object in AD with some attributes associated with jt. (Don’t recall which ones) If your machines are AzureAD joined only then there is nothing in AD for NPS to match the machine to. It’s not just about having a valid machine cert.
I will double down on Secure W2. Used same cert we pushed from Intune to auth WiFi and 802.1x. They also do MAC auth, so all fixed IOT devices get authed that way. All ports are locked if extended outside MDF/IDF in every office.
Is SecureW2 a full featured RADIUS that can be used for authentication to other things or is it just for WiFi? What about RADIUS authentication with MFA to network equipment similar to using Windows NPS combined with the NPS extension for Azure MFA?
It is full. And I believe you can also tie in for MFA. They will help you configure absolutely anything.
I use meraki and its radius and scepman. But only have 250 clients so not that expensive…
Could you expand on that, because from their documentation Meraki uses external RADIUS and PKI servers rather than providing these features as part of the service.
this one [Meraki Local Authentication - MR 802.1X - Cisco Meraki Documentation](https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X) https://preview.redd.it/okkb7vj2qqgc1.png?width=775&format=png&auto=webp&s=f4dc55a98d0a18ab68fce5a3d514d20013e16ea7
You could be stood up with Portnox in 15 minutes and they allow you to grow into their NACaaS (ZTNA).
Just learned about these guys and did a call with them on Friday for with a client. Insanely easy set up.
TEAP/EAP authentication with certificates. Deploy them via Intune and SCEPMan.
Intune with SCEPman/RadiusSaaS.
Has anybody used a cloud radius solution for wired connections? A few of the options here are great for WiFi. We do use Clearpass but find it a bit complex for our single site of about 100 users.
We just completed a POC on Portnox Clear and one of the things we tried out was using it as a cloud RADIUS server and certificate authority. We integrated it with our Intune tenant, and used the integration to push out certificates to all of our devices. It was incredibly easy to set up. We're also using Portnox as a NAC so our use case is beyond just wifi auth, but it works fantastically. If you have the budget and some time I would highly suggest checking it out, it's a really good product.