Meraki Community

@PhilipDAth Thank you but what do you plug here? Azure Cloud PKI does NOT expose any end points on the public Internet to where the MR can be pointed to?

In the image here, you have certificate auth disabled.

Following what @PhilipDAth said, you need to enable it.

Under our account it looks to be £1.64 per licence/per month. Think the pricing is similar to SCEPMan with support.

In Cloud PKI, there are two different formats for downloading the root CA. You need to download the other format.

Hi @PhilipDAth I am now testing this and stuck at the same point, I will have one option to download from Microsoft Cloud PKI and it downloads as .cer. Meraki says this is invalid. Any help would be much appreciated!

Got it working now @PhilipDAth @RobinHelmig opened the cert and Details tab - copy to file and choose second option, even though it saves as CER you can upload it into Meraki.

No i did not, i'm short on time at the moment.

Did you get this working @TJONES-614 ? Is it the same certificate mentioned here https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-configure-ca#create-trusted...

I don't have it working.    However, I did deploy the trusted root and issuing certificates.    Once created, I used OpenSSL to convert the certificates into the PEM format.   

I have it working pointing to the Meraki Local Auth and via NPS, the Local Auth method seems to take a long time to authenticate and I did have to reboot the AP to get it working. The lack of OCSP with Cloud PKI is a bit disappointing, only have CRL, which the Meraki Local Auth doesn't seem to support.

You've gone far - thanks the the screenshot - that warning I think is a stupid windows thing - I’ve seen a specific checkbox in the supplicant policy to suppress that warning and few other “safety” warnings in Windows; I encountered this many moons ago in the NPS world with fully legit paid certs and still - people had to click to connect 

Yah!  For anyone reading this - i found a solution that works beautifully. Although long winded and annoying. (And not ideal from a security standpoint)

1. Create the "Windows 10 Template - WiFi profile" in intune as you normally would.

2. Deploy to a test device.

3. Manually go to control panel > Networks > WIfi Adapter > Status > Wireless Properties > Security Tab, (i dont have my computer with me so go hunting in there ) and untick the "Server Validation" option. The CA selections should now be greyed out.

4. Apply changes

5. Export the wifi profile as XML: open command prompt and; netsh wlan export profile key=clear folder="YOUR-FOLDER-SAVE-PATH"

6. In intune, delete/unassign the wifi profile you created in step 1.

7. Create a new profile this time select Windows 8 or higher > Wifi

8. Select the XML file you exported in Step 5, and publish the new WiFi Profile

9 Profit.

Works like a charm here. 

@Akeon I totally agree that this is a working solution; however something crossed my mind: isn't doing so dangerous as an evil doer could harvest credentials; simply create a network with the same SSID and supplicants will happily send user IDs and passwords, though auth will fail for the legit supplicants, the fake SSID owner will harvest them and then can use them on the real SSID to auth and get "wire" equivalent access, at least on a network level - far from an open door but one foot in so to speak...

Absolutely - few things at play there, id personally like to see:

-Intune support OCSP 
-Meraki to support the validation

But compare this all to hosting your own CAs and NDES which is equally a security risk to manage. Not to mention the admin overhead involved.

I'll leave up to the individuals to determine their strengths / scenario / 'whats the bigger risk'.

PS. added a note to my prior steps to hat tip your point. 

This system does not transmit usernames or passwords.  I only ever sends the public key of the public part of the certificate.

The secret key of the certificate never leaves the device.

Hi @Akeon I also had this issue with clients asking if they expect to find the network. Only way I found is to add the network name shown below into Intune WiFi profile, I used *. before, but appears it does not like wildcard. And make sure the root (IdenTrust) certificate is present on the devices you are connecting from.

Yeah have that, i think you are right its not liking the wildcard.
Found solution above after a day of pain- thanks though!