# SCEPman Enterprise

{% stepper %}
{% step %}

### Deploy SCEPman Enterprise

{% hint style="warning" %}
Please note that this scenario requires [SCEPman Enterprise Edition.](https://docs.scepman.com/editions#edition-comparison)
{% endhint %}

First and foremost, you will need to set up and configure your SCEPman. Please use [documentation](https://docs.scepman.com/scepman-deployment/deployment-guides) relevant to your environment to perform the installation and configuration of SCEPman. Once completed, return to this article.
{% endstep %}

{% step %}

### Establish trust between RADIUSaaS and SCEPman

For RADIUSaaS to trust client authentication certificates issued by SCEPman PKI, you must add SCEPman's root CA certificate to the RADIUSaaS trust store following [these steps](https://docs.radiusaas.com/admin-portal/settings/trusted-roots#add).
{% endstep %}

{% step %}

### Configure the RADIUS Server Certificate

{% embed url="<https://docs.radiusaas.com/admin-portal/settings/settings-server#scepman-connection>" %}
{% endstep %}

{% step %}

### Configure your Networking Equipment

To configure your networking equipment (WiFi access points, switches, or VPN gateways), follow [these steps](https://docs.radiusaas.com/configuration/generic-guide#step-4-network-equipment-configuration).

After successful completion of Steps 2 - 4, the **Trusted Certificates** page of your RADIUSaaS instance will look similar to the one below. Please note that in our example we have used a RadSec-enabled [MikroTik](https://docs.radiusaas.com/configuration/access-point-setup/radsec-available/mikrotik) access point that leverages a SCEPman-issued RadSec **Client Certificate**.

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2F3SzVBPrnIcvtY9ppojCH%2Fimage.png?alt=media&#x26;token=83ee3553-ac4f-49aa-8e45-2b159246bfad" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Configure Intune Profiles

To set up certificate-based WiFi authentication, you will need to create and deploy a number of policies via Intune. These policies are as follow:

<table><thead><tr><th width="371">Profile Type</th><th>Purpose</th></tr></thead><tbody><tr><td>Trusted certificate</td><td>Deploy the Root CA certificate that has issued the RADIUS Server Certificate. <br><br>In this scenario, the relevant CA corresponds to the SCEPman Root CA. </td></tr><tr><td>SCEP certificate</td><td>Deploy the client authentication certificate.</td></tr><tr><td>Wi-Fi</td><td>Deploy the wireless network adapter settings.</td></tr></tbody></table>

<figure><img src="https://1222554226-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSWU1DQ4UGkqER7uGNUOm%2Fuploads%2FnFBmwAxWn8oMM35Y5bFe%2Fimage.png?alt=media&#x26;token=c1ad524f-476f-4ee3-afb8-9da3c58087b6" alt=""><figcaption><p>Relevant Intune Policies</p></figcaption></figure>

### Trusted Certificate Profiles

This profile was configured as part of the [SCEPman setup](https://docs.scepman.com/certificate-deployment/microsoft-intune).&#x20;

### SCEP Certificate Profile

This profile was configured as part of the [SCEPman setup](https://docs.scepman.com/certificate-deployment/microsoft-intune).

### WiFi Profile <a href="#step-1-create-root-ca-in-admin-center" id="step-1-create-root-ca-in-admin-center"></a>

Deploy the Wi-Fi adapter settings to your devices by following this article:&#x20;

{% content-ref url="../../../profile-deployment/microsoft-intune/wifi-profile" %}
[wifi-profile](https://docs.radiusaas.com/profile-deployment/microsoft-intune/wifi-profile)
{% endcontent-ref %}
{% endstep %}

{% step %}

### Permissions and Technical Contacts

{% hint style="warning" %}
This is a **mandatory** step.
{% endhint %}

First, review your [Permissions](https://docs.radiusaas.com/admin-portal/settings/permissions) to ensure the right persons in your organization have the right level of administrative access to your RADIUSaaS instance.

{% hint style="success" %}
To **prevent yourself from being locked** out of your RADIUSaaS instance, always ensure that either

* at least two user identities or
* one service account

are configured as [Administrators](https://docs.radiusaas.com/admin-portal/settings/permissions#administrators).
{% endhint %}

Next, ensure that we are able to contact you in case we have important technical information to share by reviewing the [Technical Contacts](https://docs.radiusaas.com/admin-portal/settings/permissions#technical-contacts) section.

{% hint style="success" %}
For us to **reliably deliver important information** to you via email, always ensure that either

* at least two email addresses of individuals or
* one shared mailbox / distribution list

are configured.
{% endhint %}
{% endstep %}

{% step %}

### Rules

This is an **optional** step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.

{% content-ref url="../../../admin-portal/settings/rules" %}
[rules](https://docs.radiusaas.com/admin-portal/settings/rules)
{% endcontent-ref %}
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.radiusaas.com/configuration/get-started/scenario-based-guides/scepman-enterprise.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.