Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AADJ Device + NPS + SCEP User certificate authentication

Ben_Twoa
Conversationalist
‎Aug 28 2022 6:29 PM
‎Aug 28 2022 6:29 PM

AADJ Device + NPS + SCEP User certificate authentication

Heya,

 

Has anyone successfully deployed this without using any third party service like SCEPMAN or freeradius?

 

I followed this link : https://community.meraki.com/t5/Wireless-LAN/Meraki-RADIUS-NPS-Auth-AAD-Devices-amp-Certificates/m-p... to successfully deploy NDES and certificate connector in intune.

 

Certificates are being deployed to the machines and have created my wifi profile in intune to connect using this certificate. I have created a new SSID to test this and pointed that to a new nps server so it won't mess up the production one. I also created the network profile in nps using smartcard or other certificate but my AADJ pcs won't connect.

 

Can anyone point me to the correct wifi configuration profile and nps network policy? 

Cheers.

 

0 Kudos
Subscribe
5 Replies 5
Brash
Kind of a big deal
Kind of a big deal
‎Aug 28 2022 7:14 PM
‎Aug 28 2022 7:14 PM

NPS can't validate AAD Joined devices.

Device certs and identities won't be found in the local AD infrastructure and it has no way of checking AAD.

You would need a RADIUS server with AAD integration, or hybrid join your devices.

https://docs.microsoft.com/en-us/answers/questions/57999/device-certificate-scep-based-authenticatio...

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 28 2022 9:33 PM
‎Aug 28 2022 9:33 PM

I've worked with a company doing this - and it did work.  It was a real b*tch to get going.  I hope I am never involved in another such deployment.

 

I think you need to make sure your AD Sync has device write back configured, so AADJ machines also appear in your local Active Directory.  The certificates get issued against those.

 

Good luck.  I think it took 3 weeks to get going.  Then after 12 months a certificate expired, somewhere, and it took another three weeks to fix.  I'm not looking forward to next year ...

Subscribe
In response to PhilipDAth
Brash
Kind of a big deal
Kind of a big deal
‎Aug 29 2022 5:39 AM
‎Aug 29 2022 5:39 AM

100% it's a massive pain.

 

And you're right, if you are hybrid domain joined with write back, AAD devices will populate into AD and you won't hit these issues (although you'll might hit some other issues with Autopilot).

Subscribe
Ben_Twoa
Conversationalist
‎Aug 29 2022 8:16 PM
‎Aug 29 2022 8:16 PM

Oh well, might need to implement a cloud radius solution.

 

Any suggestions on which one is the best out there? 

 

Thanks.

0 Kudos
Subscribe
In response to Ben_Twoa
Brash
Kind of a big deal
Kind of a big deal
‎Aug 29 2022 8:24 PM
‎Aug 29 2022 8:24 PM

I've never personally used it but I know Aruba Clearpass is a crowd favourite.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.