I'm facing a challenge getting our Windows 11 devices, which will be purely Intune-joined and not hybrid joined, to authenticate to Wi-Fi using NPS and EAP-TLS. Currently, our Windows 10 domain-joined machines have no issues connecting through a specific NPS policy for wireless authentication. For our upcoming Windows 11 machines, we need them to be able to connect to Wi-Fi using device certificates before any users log in. I've set up the necessary machine certificates and deployed the Wi-Fi profile via Intune, but I'm running into problems with NPS returning an error regarding user credentials mismatch. Despite adding strong mapping for the certificate, the authentication still fails. Has anyone successfully set this up with Intune-only devices? I'm looking for solutions, as changing to another RADIUS provider isn't an option for us, and we want to avoid PSK solutions.
3 Answers
Since Microsoft has enforced strong mapping, that's made things tricky for many. One workaround I found effective was key rotation with SSID changes. For instance, create SSID1 with a long key pushed via Intune, change to SSID2 for a new key when you want to rotate. Alternatively, I've started using FreeRADIUS trusted with my AD CA along with the Intune connector for certificates, which has helped a lot.
We had a similar struggle, but we switched to SCEPman and used RADIUS as a service. With the E5 licensing updates, you might find it easier to revert to Microsoft's offerings in the future. Just be aware that it's a common issue for many in the community. You can find some insights here: [Intune and RADIUS Discussion](https://www.reddit.com/r/Intune/comments/1m3v7s9/aadj_and_radius/)
I feel you on wanting to stick with NPS, but those comments might suggest it's not going to work. Hang in there!
Now that Cloud PKI is available for free with E5, it might help simplify things, but remember it can't issue Server Auth OIDs, so relying on RADIUS will likely still be needed.
I’m not sure how your ISE is set up, but using both computer and user certificates could help. The connection seems stable for shared PCs once a user logs in, so the saved settings keep the Wi-Fi from dropping upon logout. It may require specific setups for kiosk PCs or guest accounts, so that’s worth exploring.
Thanks for the suggestion! I think key rotation might be the route we have to go.