We had a sumular issue and it turned out to be due to MTU size. The packets would be broken up into smaller chunks that are not big enough to contain the header information in the packet required for raduis auth. The packets then arrive with only partial incomplete header information. Changing to the correct MTU fixed the issue for us.  ... View more

@jpcaid    There is not much to see. It's an Imported Wi-Fi XML profile.   I used the "Wi-Fi import" option when selecting "Windows 8.1 and later" configuration profile platform. To get the XML file, you set up the Wi-Fi network manually on a test device and get it to work, then export the xml file using command prompt.   I believe this was mentioned somewhere in this thread.   Below is an example. If you want to make use of it, you will need to update the following properties to match your environment:   <name> <hex> <TrustedRootCA> <IssuerHash>     <?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>Your SSID</name> <SSIDConfig> <SSID> <hex>3845876245786</hex> <name>Your SSID</name> </SSID> <nonBroadcast>true</nonBroadcast> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <MSM> <security> <authEncryption> <authentication>WPA2</authentication> <encryption>AES</encryption> <useOneX>true</useOneX> </authEncryption> <PMKCacheMode>enabled</PMKCacheMode> <PMKCacheTTL>720</PMKCacheTTL> <PMKCacheSize>128</PMKCacheSize> <preAuthMode>enabled</preAuthMode> <OneX xmlns="http://www.microsoft.com/networking/OneX/v1"> <authMode>machine</authMode> <EAPConfig> <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>true</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation> <ServerNames></ServerNames> <TrustedRootCA>a1 b2 c3 d4 e5 f6 g7 h8 i0 j1 k2 l3 m4 n5 o6 p7 q8 r9 s0 </TrustedRootCA> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <CAHashList Enabled="true"> <IssuerHash>a1 b2 c3 d4 e5 f6 g7 h8 i0 j1 k2 l3 m4 n5 o6 p7 q8 r9 s0 </IssuerHash> </CAHashList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> </Config> </EapHostConfig> </EAPConfig> </OneX> </security> </MSM> <MacRandomization xmlns="http://www.microsoft.com/networking/WLAN/profile/v3"> <enableRandomization>false</enableRandomization> </MacRandomization> </WLANProfile>     ... View more

Hi @jpcaid    Sure, Here is my SCEP cert config in Intune.   You can also find the full setup guide here. The easy way to deploy device certificates with Intune – Modern IT – Cloud – Workplace (oliverkieselbach.com)   ... View more

Hi All,   So I have finally found a solution for Azure Device based certificate Authentication that actually works. Although it makes use of a paid 3rd party cloud based PKI service and Radius-as-a-Service.   I have tested it and it works like a charm. Setup is also not too complicated.   For those interested and willing to go for a paid service to escape the dependency on on-prem systems, here are the links.   https://scepman.com/ 3rd Party CA Certificate Enrollment with Intune   https://www.radius-as-a-service.com/ Cloud Radius   Both services are offered by the same German firm "Glueck & Kanja".   Kind Regards   ... View more

Hi RonaldB,   Just an update. So I finally managed to get it working. YAY! Had to tweak my radius profile a bit and exported the manually set up Wi-Fi profile as you suggested.   I'll make sure to post updates here, if I ever get device based certificate authentication working in Intune. (Never going to get used to calling it "Endpoint Manager")   The idea is still to go full cloud, moving to a 100-percent internet-first model for client connectivity. Being dependent on an "on-perm" Radius and CA does not serve that goal. (Both Azure VM's)   For now user cert auth using this method is good enough, until I can find something to better serve our goals.   Thanks for everyone's help and support. ... View more

@RonaldB    Thanks for all the info and advice posted.   Yes, my user certificates are enrolling successfully in Intune and visible everywhere you mentioned. I can also see the user cert in the MMC user cert snap in.   I now need to get my Wi-Fi profile working. I do have a xml export from a working PC of the Wi-Fi profile deployed via GPO. I doubt it will work since its configured to user a device certificate.     ... View more

Thanks @RonaldB   I will try everything you suggested. Working from home makes it difficult to test. I only go into the office about once a week nowadays.   I opted for user certificates since I would like this to work on Azure AD Joined devices (Not Hybrid).   The certificate is present on my device, it was enrolled using a SCEP profile on Intune. The certificate also shows up in Intune --> Dashboard --> Devices --> Monitor --> Certificates   I will revert back if I get it working. ... View more

Hi All,   So my test today did not go as expected. Seems my Intune Wi-Fi profile is not configured correctly.   Anybody have any experience in how to configure the profile for it to work on Meraki? I currently get an error saying "cant connect because you need a certificate to sign in"   This is what I currently have:         ... View more

Hi @RonaldB,   Thanks for finding out. I presume it only works for Aruba.   I have seen one user implemented user based cert auth using FreeRadius: https://stackoverflow.com/questions/40747952/freeradius-authentication-through-azure-active-directory   I wonder if the same can be done for device cert auth...   @PhilipDAthThanks for the link, it looks promising. I'm going to try to get it working on NPS with user cert auth before I give up and pay for a cloud based service. AFAIK, the only difference between user cert auth and device cert auth is that the wi-fi will only connect once the user has logged into the device. I can live with that until we find a working device cert auth method for Azure AD Joined devices.     ... View more

Thanks @RonaldB for all your help with this.   I'm fairly new to certificate auth methods, so im learning on the job.   I have set up and deployed NDES with the Intune connector by following the article you posted. Cert enrollment works and a cert is issued from my on-prem CA to the Azure AD Device.   I will test the user cert auth on my internal NPS later this week via Meraki wi-fi radius auth. If its not too much trouble to ask your client what Linux Radius solution there where running, it would be much appreciated and very interesting.   On that note, has anyone tried using a cloud based 3rd party radius service that integrates into Azure AD, like this one from SecureW2 (https://www.cloudradius.com/radius-authentication-with-azure-ad) ?   ... View more

I am trying to achieve the exact same thing in our organization. Thus far my efforts have not been fruitful. I will post an update if I happen to get it working.   The advice given here thus far has been a huge help.   Thank you. ... View more

Good day all,   I had a similar issue and would just like to share what resolved it for me. After getting a radius error stating in the logs stating that "The RADIUS Request message that Network Policy Server received from the network access server was malformed." I did a verbose packet capture and found that the packet was indeed not well formed and seems to be missing some data.   Turns out this was caused by a Bad MTU size, since my radius server sits in the cloud and is reached via VPN. So the upstream provider used a MTU size of 1400 and Meraki MX by default uses 1500.   as you can imagine this caused some issues with the radius packets.   After logging a request for Meraki to change my MTU size to 1338, everything started working with Radius again.   Here is an article about changing the MTU size for Meraki. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Troubleshooting_MTU_Issues   I ran this ping to test and kept lowering the MTU until I found the correct combo that produced a successful ping response.   ping "My Radius Server" -l 1472 -f   Hope this helps someone.   ... View more