Meraki

Community

AADJ Device + NPS + SCEP User certificate authentication

Ben_Twoa
Conversationalist
‎Aug 28 2022 6:29 PM
‎Aug 28 2022 6:29 PM

AADJ Device + NPS + SCEP User certificate authentication

Heya,

 

Has anyone successfully deployed this without using any third party service like SCEPMAN or freeradius?

 

I followed this link : https://community.meraki.com/t5/Wireless-LAN/Meraki-RADIUS-NPS-Auth-AAD-Devices-amp-Certificates/m-p... to successfully deploy NDES and certificate connector in intune.

 

Certificates are being deployed to the machines and have created my wifi profile in intune to connect using this certificate. I have created a new SSID to test this and pointed that to a new nps server so it won't mess up the production one. I also created the network profile in nps using smartcard or other certificate but my AADJ pcs won't connect.

 

Can anyone point me to the correct wifi configuration profile and nps network policy? 

Cheers.

 

0 Kudos
5 Replies 5
Brash
Kind of a big deal
Kind of a big deal
‎Aug 28 2022 7:14 PM
‎Aug 28 2022 7:14 PM

NPS can't validate AAD Joined devices.

Device certs and identities won't be found in the local AD infrastructure and it has no way of checking AAD.

You would need a RADIUS server with AAD integration, or hybrid join your devices.

https://docs.microsoft.com/en-us/answers/questions/57999/device-certificate-scep-based-authenticatio...

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 28 2022 9:33 PM
‎Aug 28 2022 9:33 PM

I've worked with a company doing this - and it did work.  It was a real b*tch to get going.  I hope I am never involved in another such deployment.

 

I think you need to make sure your AD Sync has device write back configured, so AADJ machines also appear in your local Active Directory.  The certificates get issued against those.

 

Good luck.  I think it took 3 weeks to get going.  Then after 12 months a certificate expired, somewhere, and it took another three weeks to fix.  I'm not looking forward to next year ...

In response to PhilipDAth
Brash
Kind of a big deal
Kind of a big deal
‎Aug 29 2022 5:39 AM
‎Aug 29 2022 5:39 AM

100% it's a massive pain.

 

And you're right, if you are hybrid domain joined with write back, AAD devices will populate into AD and you won't hit these issues (although you'll might hit some other issues with Autopilot).

Ben_Twoa
Conversationalist
‎Aug 29 2022 8:16 PM
‎Aug 29 2022 8:16 PM

Oh well, might need to implement a cloud radius solution.

 

Any suggestions on which one is the best out there? 

 

Thanks.

0 Kudos
In response to Ben_Twoa
Brash
Kind of a big deal
Kind of a big deal
‎Aug 29 2022 8:24 PM
‎Aug 29 2022 8:24 PM

I've never personally used it but I know Aruba Clearpass is a crowd favourite.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.