Why do firewalls never get invited to parties?   Because they always block the connection! ... View more

If you are open to multiple SSIDs you can; using only Intune, CloudPKI and Meraki WiFi. 1. In intune, create CLOUDPKI cert chain {Root CA, Intermediate CA, Endpoint profile} designated for VLAN 1  (or whatever VLAN number you specify) 2. In meraki, Create SSID scoped to VLAN 1  3. In Intune create a user or device group for VLAN 1 users and deploy the profiles/certs to that group only. Repeat each step 1-3, changing the names to VLAN 2  and VLAN2 Users . End result:   two ssids   on two seperate vlans   applicable to two different sets of user groups.   and users can only join their particular wifi ssid assigned to them.  Note 1: you can only do this 3 times due to the 6 CA limit in CloudPKI, and needing a root and intermediate CA.   Note 2: You cant delete a CA once created without logging a support ticket with MS and getting them to do it for you, which in my experience was rather annoying. So think before you click.  😄Apparently this has now changed!   ... View more

I got you now; though cant give you the answer you particularly want as Meraki is doing local auth - it doesn't know what users/groups should belong to what VLAN.  I tackled this by creating a separate SSID for each VLAN I want to bind the users too when using local auth on a certificate.  SSID for = Mobile phones / BYOD = VLAN 123 SSID for  = Corporate devices network = VLAN 456   Then control who gets what SSID and certificate profile through your MDM / Device Policy system You can apply policies on device type though.  Next Question: How do I prevent someone from just connecting to the other SSID and therefore VLAN if they have a certificate. A: couple of ways, but primarily because you can have up to 6 CAs in Azure, you can create an entirely separate certificate chain (RootCA, IntermediateCA, User/Device Cert) for the Guest/BYOD services bound to SSID-1 compared to corporate devices (or multimedia devices) bound to SSID-2   In terms of managing extra infrastructure, it's all cloud anyway so there is really not much extra overhead on-going. It is all just frontloading the setup. Someone more awesomer than I may have a better/cleaner answer.  ... View more

If I understand your question correctly, you are asking if the SSID can attach clients (whether user or device) to a specific VLAN. Is that correct?   is so answer is yes that’s exactly what I do. I’ll post a screenshot when I’m in the office tomorrow .   if no please clarify the question 🙂 ... View more

Not me, I’ve only done: IOS = passwordless email / wifi profiles Android = passwordless email Windows = WiFi only ... View more

I'm by no means an expert on the WiFi Side (happy for anyone else to chime in)  - but that tells me the WAP is not accepting the certificate. Have you confirmed the iOS device has been issued a certificate and it is installed? In the phone/ipad  go: Settings > General > VPN & Device Management > Management Profile > More Details Under: SCEP DEVICE IDENTITY CERTIFICATES, Look for your certificate with the Subject name equaling the UserPrincipalName of the person. Ours is deployed using the microsoft "Company Portal" app on the iphones. SSID config for reference is:  ... View more

Just adding another peice after massive issues with WiFi Roaming.   Scenario - Our windows laptops seem to roam every few seconds, then after a short time get disconnected.  I found that when the roam happens between access points, the device has to reauthenticate. With on prem certs/NDES thats fine as its pretty instant. In our Cloud PKI world, cloud wifi our authentication logs show the process as taking up to 25 seconds!  The result is if your on a video call, and your device roams - you are effectivly on hold for that 25 seconds.  Solution was to enable Fast Roaming on the wifi profile settings, which effectivley allows the authentication to be cached for a short duration.  In my case the business day.   ... View more

Hey Mikeyy, My profile is applied to the User - not the Device in intune. If you want to filter to only company devices, use Filters. These are my IOS SCEP settings:   ... View more

Just Microsoft OneDrive issues. Its there and shared but took me a few page refreshes to get it to open. ... View more

Consolidated walkthrough here - Step by step Cloud PKI setup + Meraki setup + Wifi deployment for windows.  Cloud PKI-WiFi.docx Credit to Oliverkieselbach.com who i copied and pasted some notes from.   ... View more

Mine show up in root under computer (not user). When creating the trust profiles in intune, for: Root CA Issuing CA Iden Trust I am selecting Computer certificate store - Root Then when adding the mmc snaping be sure to select the local computer store.  Otherwise if you trust some random on the internet and have Teams (world class advise), DM me and ill spare 15 mins to check it all over. ... View more

From here: HydrantID Server CA O1 Certificate - 89B89BB69EEDFBB0C6BD0DEC674E3CA3929D2DF9 (fyicenter.com)   But as long as you have the Iden Trust cert deployed to your trusted root store i wouldnt have thought you would need it. ... View more

Check the cert you are pointing to in your intune wifi profile is actually deployed to the device/user Open MMC Add Certificates snap-in (local computer for machine certs, My User Account for user certs)   Go to personal certificates Check the cert has been deployed.   Yes the issuing CA gets uploaded to meraki.   ... View more

Yup from the access control page  Wireless > Access control Hydrant Server cert was a bit harder to track down hence i don't know if its needed or not.  ... View more

I mean yeah if the device gets stolen then thats about the scenario id think it would be a concern. But then they have to be in wifi range so stolen from your office? Unlikely but possible. You can decside what your risk appetite.  I VLAN off the device network so it still can get to internet.  For your azure cloud auth; your device is going to need internet access prior to windows login - else your devices wont be able to talk to the interwebs to authenticate the username/password when your staff try to log in.  User only cert wont let you do that.  Machine cert will, hence im using both and relying on Windows to swap to the correct user network after login. Clear as mud? With multiple profiles you can check Wifi Priority order with : netsh wlan show profiles Set the priority with : netsh wlan set profileorder name="YOUR_USER_NETWORK_NAME" interface="Wi-Fi" priority=1 netsh wlan set profileorder name="YOUR_DEVICE_NETWORK_NAME" interface="Wi-Fi" priority=2 Also point out this may very well be overkill for you - if your are Azure only then im taking a bet you have no on-prem server resources to secure in which case Machine only cert is probably fine on its own and forget half of what I have written.  ... View more

Not at all.  Id argue Azure cloud only is better! (and easier) ... View more

Hey mate, sure fire away with questions - but to get you going are you wanting to authenticate the machine or the user? In my setup I have two separate networks and we are Hybrid-Azure WiFi_Device = Internet only   - Purpose is so devices can authenticate with azure at a login screen if user credentials are not cached. This uses a Machine certificate  SCEP Device Cert: Assign to your computer group. WiFi_User = Internet + Corporate resources. SCEP User Cert - Also assign to your device group (and apply filtering if you want to limit users). Make sure you are pushing out a trusted certificate profile for: IDEN Trust (from your meraki ssid page) Hydrant CA O1 (from your meraki ssid page) - not 100% sure you need this but i added it. Your Root CA Your Issuing CE.   All 4 will be needed in the WiFi profile to stop the annoying windows "is this wifi trusted/what you expect" message. WiFi Profile: device and user are basically the same except the cert you choose so ill only post the one screenshot and note the variances.    PS. this also works for auto configuration of iphones WiFi/outlook365 email config without passwords.  PPs. sorry we sort of derailed a bit from the OP and turned this into a guide PPPs. Before anyone cries boogeyman - we are enrolling certs to KSP because surface devices and possibly others have a bug with 4096 keys not working in TPM ... View more

Absolutely - few things at play there, id personally like to see: -Intune support OCSP  -Meraki to support the validation But compare this all to hosting your own CAs and NDES which is equally a security risk to manage. Not to mention the admin overhead involved.   I'll leave up to the individuals to determine their strengths / scenario / 'whats the bigger risk'.   PS. added a note to my prior steps to hat tip your point.    ... View more

Yeah have that, i think you are right its not liking the wildcard. Found solution above after a day of pain- thanks though! ... View more

Yah!  For anyone reading this - i found a solution that works beautifully. Although long winded and annoying. (And not ideal from a security standpoint)   1. Create the "Windows 10 Template - WiFi profile" in intune as you normally would. 2. Deploy to a test device. 3. Manually go to control panel > Networks > WIfi Adapter > Status > Wireless Properties > Security Tab, (i dont have my computer with me so go hunting in there ) and untick the "Server Validation" option. The CA selections should now be greyed out. 4. Apply changes 5. Export the wifi profile as XML: open command prompt and; netsh wlan export profile key=clear folder="YOUR-FOLDER-SAVE-PATH" 6. In intune, delete/unassign the wifi profile you created in step 1. 7. Create a new profile this time select Windows 8 or higher > Wifi 8. Select the XML file you exported in Step 5, and publish the new WiFi Profile 9 Profit. Works like a charm here.  ... View more

Its working for me to a degree,  1 Create Root CA in Intune 2 Create Issuing CA in intune 3 Create and deploy configuration profile for Trusted Certificates template for each CA in intune. 4 Create & Deploy SCEP profile 5  Create and Deploy Wifi Profile 6 Set meraki SSID to    The only issue i am having is that pesky server validation warning when the client tries to connect.  No matter what permeation of Server name I seem to try; I cant make stop it for showing on the first conneciton attempt.  " Continue connecting? If you expect to find XYZWiFi in this location go ahead..." Otherwise it works ok, I just dont want my users to have to click that warning so can't really use this unless anyone knows how to bypass that.  ... View more