SCEPman PKI

This article describes the configuration steps necessary to implement certificate-based WiFi authentication using SCEPman with Intune. For this demonstration, we will use a MikroTik access point.

Step 1: Deploy SCEPman Enterprise

First and foremost, you will need to set up and configure your SCEPman PKI. Please use documentation relevant to your environment to perform the installation and configuration of SCEPman. Once completed, return to this article.

Step 2: Establish trust between RADIUSaaS and SCEPman

For RADIUSaaS to trust client authentication certificates issued by SCEPman PKI, you must add SCEPman's root CA certificate to the RADIUSaaS trust store following these steps.

Step 3: Configure the RADIUS Server Certificate

In this example, we will use a RADIUS Server Certificate issued by SCEPman. Therefore, follow below steps:

  1. Generate and upload your SCEPman-issued RADIUS Server Certificate as described here.

  2. Activate the SCEPman-issued RADIUS Server Certificate as described here.

Once completed, your Server Certificate settings should look like this:

Step 4: Configure your networking equipment

To configure your networking equipment (Wi-Fi access points, switches, or VPN gateways), follow these steps.

After successful completion of Steps 2 - 4, the Trusted Certificates page of your RADIUSaaS instance will look similar to the one below. Please note that in our example we have used a RadSec-enabled MikroTik access point that leverages a SCEPman-issued RadSec Client Certificate.

Step 5: Configure Intune Profiles

To set up certificate-based Wi-Fi authentication, you will need to create and deploy a number of policies via Intune. These policies are as follow:

Profile Type
Purpose

Trusted certificate

Deploy the Root CA certificate that has issued the RADIUS Server Certificate. In this scenario, the relevant CA corresponds to the SCEPman Root CA.

SCEP certificate

Deploy the client authentication certificate.

Wi-Fi

Deploy the wireless network adapter settings.

Relevant Intune Policies

Trusted certificate profiles

This profile was configured as part of the SCEPman setup.

SCEP certificate profile

This profile was configured as part of the SCEPman setup.

Wi-Fi profile

Deploy the Wi-Fi adapter settings to your devices by following this article:

WiFi Profile

Last updated

Was this helpful?