Replacing RADIUS for Wireless Security with Intune Suite Cloud PKI: A Certificate-Based Approach

Replacing a traditional RADIUS server for wireless access security with Microsoft Intune Suite’s Cloud PKI involves transitioning to a certificate-based authentication model using 802.1X and EAP-TLS. This approach leverages digital certificates managed by Cloud PKI as the primary method for verifying the identity of devices connecting to the wireless network, offering enhanced security and simplified management for Intune-managed endpoints.

Here’s a breakdown of how this works and the steps involved in setting it up, with citations from the search results:

How Cloud PKI Replaces RADIUS for Authentication

Traditionally, a RADIUS server acts as a central authority for authenticating and authorizing users and devices on a network, particularly for WPA2/WPA3-Enterprise Wi-Fi secured with 802.1X. The wireless access point (WAP) forwards authentication requests from connecting devices (supplicants) to the RADIUS server. The RADIUS server then validates the provided credentials, often against an identity store like Active Directory, before informing the WAP whether to grant or deny access [1, 5].

With Intune Cloud PKI, the authentication process shifts to validating digital certificates issued by the Cloud PKI. This typically utilizes the EAP-TLS protocol within the 802.1X framework [1, 3]. The flow is as follows:

1. Certificate Issuance: Intune, integrated with Cloud PKI, acts as a simplified certificate authority, issuing unique client authentication certificates to Intune-managed devices [7, 8, 9].
2. Trusted Root Deployment: The public certificates of the Cloud PKI’s root and issuing certificate authorities (CAs) are deployed to both the Intune-managed devices and the wireless infrastructure (WAPs or wireless controllers) [4, 7]. This ensures that both the connecting device and the network infrastructure trust certificates issued by your Cloud PKI.
3. Connection Attempt: When an Intune-managed device attempts to connect to a secure Wi-Fi network, the WAP initiates the 802.1X authentication process.
4. Certificate Presentation and Validation: The device presents its Intune Cloud PKI-issued client authentication certificate to the WAP. The WAP (or controller) validates this certificate by checking its validity period, its revocation status (often via a CRL Distribution Point provided by Cloud PKI), and verifying that it chains up to a trusted root CA installed on the wireless infrastructure [1, 4].
5. Access Decision: Based on the successful validation of the certificate, the wireless infrastructure grants the device access to the network. Authorization, such as assigning a VLAN, can be based on information within the certificate or managed through separate policies on the wireless infrastructure [1, 3].

In this model, the core authentication decision is made by the wireless infrastructure based on the trust and validity of the Cloud PKI-issued certificate, effectively bypassing the need for a separate RADIUS server to perform this specific authentication task for Intune-managed devices.

Setting Up Wireless Access Security with Intune Cloud PKI

Implementing this certificate-based wireless security requires configuration in both Microsoft Intune and your wireless access point or controller management interface.

Phase 1: Configure Intune Cloud PKI and Certificate Profiles

1. Enable and Configure Cloud PKI: Within the Microsoft Intune admin center, enable the Cloud PKI service. This involves setting up your certificate authority hierarchy, typically starting with a root CA and then configuring an issuing CA that will issue certificates to your devices [7, 8].
2. Create Trusted Certificate Profiles: Create Intune configuration profiles for each relevant operating system (Windows, macOS, iOS, Android) to deploy the public certificates of your Cloud PKI’s root and issuing CAs to your managed devices [4]. These profiles ensure devices trust certificates issued by your Cloud PKI.
3. Create SCEP or PKCS Certificate Profiles: Create SCEP or PKCS certificate profiles in Intune for your target operating systems [3, 4]. These profiles configure devices to request client authentication certificates from your Cloud PKI’s issuing CA. You’ll define settings such as the certificate type (device or user), key usage (must include ‘Client Authentication’), key size, and the SCEP or PKCS endpoint URL provided by Cloud PKI [3, 4].
4. Assign Certificate Profiles: Assign the created trusted certificate and SCEP/PKCS certificate profiles to the appropriate Azure AD user or device groups that will need access to the secure wireless network [3, 4].

Phase 2: Configure Your Wireless Infrastructure

Configuration steps will vary based on your specific WAPs or wireless controller, but the general requirements are:

1. Configure SSID: Set up your wireless network SSID to use WPA2-Enterprise or WPA3-Enterprise security [2, 5].
2. Enable 802.1X and EAP-TLS: Configure the SSID to use 802.1X authentication and select EAP-TLS as the EAP method [1, 2, 3].
3. Install Trusted CA Certificates: Import the public certificates of your Intune Cloud PKI’s root and issuing CAs into the trusted certificate store of your wireless access points or controller. This is crucial for the wireless infrastructure to validate the certificates presented by connecting devices [2].
4. Configure Certificate Validation: Configure the wireless infrastructure to perform certificate validation during the 802.1X process. This includes enabling checks for certificate chain trust, validity periods, and certificate revocation using the CRL Distribution Point URL provided by your Cloud PKI [1].

Phase 3: Configure Wi-Fi Profiles in Intune

1. Create Wi-Fi Profile: In Intune, create a Wi-Fi configuration profile targeting the relevant operating systems [3, 4].
2. Configure Enterprise Settings: Configure the profile to connect to your WPA2/WPA3-Enterprise SSID [3, 4].
3. Select EAP-TLS: Choose EAP-TLS as the authentication method within the Wi-Fi profile [3, 4].
4. Associate Certificate: Configure the profile to use the client authentication certificate deployed via the SCEP or PKCS profile for authentication. You will typically reference the trusted certificate profile that deploys your Cloud PKI’s issuing CA certificate [3, 4].
5. Assign Wi-Fi Profile: Assign the Wi-Fi profile to the same Azure AD groups used for assigning the certificate profiles [3, 4].

By following these steps, you can leverage Intune Suite’s Cloud PKI to issue and manage the certificates required for secure, certificate-based wireless authentication for your Intune-managed devices, thereby replacing the authentication role traditionally performed by a RADIUS server.

References:

[1] Portnox. How Does 802.1X EAP TLS work? Portnox Cybersecurity 101. Retrieved from https://www.portnox.com/cybersecurity-101/8021x-eap-tls/

[2] Cisco Meraki Documentation. Configuring RADIUS Authentication with WPA2-Enterprise. Retrieved from https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

[3] Keytos. How to Enable WiFi Certificate Authentication in Intune. Retrieved from https://www.keytos.io/docs/cloud-radius/setup-radius-in-mdm/intune/how-to-enable-wifi-certificate-authentication/

[4] Microsoft Learn. Use SCEP certificate profiles with Microsoft Intune. Retrieved from https://learn.microsoft.com/en-us/intune/intune-service/protect/certificates-profile-scep

[5] SecureW2. What is 802.1X? How Does it Work? SecureW2 Solutions. Retrieved from https://www.securew2.com/solutions/802-1x

[6] Ping Identity. Radius Authentication – How it Works. Ping Identity Blog. Retrieved from https://www.pingidentity.com/en/resources/blog/post/radius-authentication.html

[7] Microsoft Security. Microsoft Cloud PKI—Certificate Management. Retrieved from https://www.microsoft.com/en-us/security/business/endpoint-management/microsoft-cloud-pki

[8] Microsoft Learn. Overview of Microsoft Cloud PKI for Microsoft Intune. Retrieved from https://learn.microsoft.com/en-us/mem/intune-service/protect/microsoft-cloud-pki-overview

[9] Interlink Cloud Advisors. How Microsoft Intune Suite’s Cloud PKI and Enterprise App Management are Game Changers for Endpoint Management. Interlink Cloud Advisors Blog. Retrieved from https://www.interlink.com/blog/how-microsoft-intune-suites-cloud-pki-and-enterprise-app-management-are-game-changers-for-endpoint-management/