search

SCEPman PKI

This article describes the configuration steps necessary to implement certificate-based WiFi authentication using SCEPman with Intune. For this demonstration, we will use a MikroTik access point.

1

hashtag
Deploy SCEPman Enterprise

circle-exclamation

Please note that this scenario requires SCEPman Enterprise Edition.arrow-up-right

First and foremost, you will need to set up and configure your SCEPman PKI. Please use documentationarrow-up-right relevant to your environment to perform the installation and configuration of SCEPman. Once completed, return to this article.

2

hashtag
Establish trust between RADIUSaaS and SCEPman

For RADIUSaaS to trust client authentication certificates issued by SCEPman PKI, you must add SCEPman's root CA certificate to the RADIUSaaS trust store following these steps.

3

hashtag
Configure the RADIUS Server Certificate

LogoServer Settings | RADIUSaaSdocs.radiusaas.comchevron-right
4

hashtag
Configure your networking equipment

To configure your networking equipment (Wi-Fi access points, switches, or VPN gateways), follow these steps.

After successful completion of Steps 2 - 4, the Trusted Certificates page of your RADIUSaaS instance will look similar to the one below. Please note that in our example we have used a RadSec-enabled MikroTik access point that leverages a SCEPman-issued RadSec Client Certificate.

5

hashtag
Configure Intune Profiles

To set up certificate-based Wi-Fi authentication, you will need to create and deploy a number of policies via Intune. These policies are as follow:

Profile Type
Purpose

Trusted certificate

Deploy the Root CA certificate that has issued the RADIUS Server Certificate. In this scenario, the relevant CA corresponds to the SCEPman Root CA.

SCEP certificate

Deploy the client authentication certificate.

Wi-Fi

Deploy the wireless network adapter settings.

Relevant Intune Policies

hashtag
Trusted certificate profiles

This profile was configured as part of the SCEPman setuparrow-up-right.

hashtag
SCEP certificate profile

This profile was configured as part of the SCEPman setuparrow-up-right.

hashtag
Wi-Fi profile

Deploy the Wi-Fi adapter settings to your devices by following this article:

WiFi Profilechevron-right
6

hashtag
Permissions and Technical Contacts

circle-exclamation

This is a mandatory step.

First, review your Permissions to ensure the right persons in your organization have the right level of administrative access to your RADIUSaaS instance.

circle-check

To prevent yourself from being locked out of your RADIUSaaS instance, always ensure that either

  • at least two user identities or

  • one service account

are configured as Administrators.

Next, ensure that we are able to contact you in case we have important technical information to share by reviewing the Technical Contacts section.

circle-check

For us to reliably deliver important information to you via email, always ensure that either

  • at least two email addresses of individuals or

  • one shared mailbox / distribution list

are configured.

7

hashtag
Rules

This is an optional step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.

Ruleschevron-right

Last updated

Was this helpful?