Hi everyone,
It's April of 2024, Microsoft Cloud PKI for Microsoft Intune has been out for some time and it looks very promising for AAD-only joined devices but how do we hook our MRs to it so one can do enterprise 802.11x based on PKI certificate auth (device based auth)?
https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-overview
I know how to do it the legacy way, with on-prem CA etc EAP-TLS and RADIUS as the last mile authenticator to the Meraki AP but this "Cloud PKI" is totally new. It promises to eliminate on-prem CA, the InTune connector and ton of other heavy weight.
Anyone gone down that road? What endpoint would the APs talk to? What profile to setup the SSID under? So many unknowns?
Thanks
~B
Already done it.
Configure the SSID to use local auth with certificate authentication. Upload your CloudPKI certificate. Works great.
@PhilipDAth Thank you but what do you plug here? Azure Cloud PKI does NOT expose any end points on the public Internet to where the MR can be pointed to?
In the image here, you have certificate auth disabled.
Following what @PhilipDAth said, you need to enable it.
I was just looking at this and its damn expensive
2000 devices/users somewhere in the region of £34000 per annum as a standalone Addon.
You would think MS would include this in enterprise licences.
Under our account it looks to be £1.64 per licence/per month. Think the pricing is similar to SCEPMan with support.
When running a test to install the certificate i get the follower error
In Cloud PKI, there are two different formats for downloading the root CA. You need to download the other format.
Hi @PhilipDAth I am now testing this and stuck at the same point, I will have one option to download from Microsoft Cloud PKI and it downloads as .cer. Meraki says this is invalid. Any help would be much appreciated!
Got it working now @PhilipDAth @RobinHelmig opened the cert and Details tab - copy to file and choose second option, even though it saves as CER you can upload it into Meraki.
@RobinHelmig Did you get the correct format uploaded? I'm not seeing where the other format is available. Or do you download the .cer file and convert it to PEM?
No i did not, i'm short on time at the moment.
Did you get this working @TJONES-614 ? Is it the same certificate mentioned here https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-configure-ca#create-trusted...
I don't have it working. However, I did deploy the trusted root and issuing certificates. Once created, I used OpenSSL to convert the certificates into the PEM format.
I have it working pointing to the Meraki Local Auth and via NPS, the Local Auth method seems to take a long time to authenticate and I did have to reboot the AP to get it working. The lack of OCSP with Cloud PKI is a bit disappointing, only have CRL, which the Meraki Local Auth doesn't seem to support.