Hey everyone! I'm currently working with my manager on implementing a passwordless system across the company that will use Windows Hello for Business and Passkeys with Conditional Access Policies. We're making great progress with hybrid and Azure/Entra joined devices, and users are loving it. The last hurdle we face is Wireless Authentication, as we're stuck with WPA-Enterprise, which still asks users for their passwords. Right now, we're bypassing this by using a dedicated Active Directory user for connecting passwordless devices.
After looking into solutions, I'm convinced we should go with certificate-based authentication. My manager suggested setting up ADCS in-house, but I'm not sure if that's the right call. I have serious concerns about the overhead and skillset needed to manage a PKI, plus the potential security risks involved. Since we're aiming for a full cloud environment, ADCS just seems like a regression.
Instead, I'm considering Cloud PKI solutions like Intune PKI or SCEPman, with a preference for SCEPman due to cost and easier integration with Intune. This option could allow my tech team to manage it without being at the mercy of a traditional PKI.
I'm looking to make a solid case for Cloud PKI to my manager and would really appreciate any advice or perspectives on why I should stick with Cloud PKI and potentially steer clear of setting up ADCS. We're using Intune for MDM and Cisco ISE for RADIUS authentication. Thanks in advance!
5 Answers
Setting up your own PKI isn’t too complex, and if you take the right precautions, it can be pretty secure! It could also be a learning experience that helps you understand the underlying mechanics, not just the cloud clicks.
I’ve been through this too, and we just implemented SCEPman. It’s super easy to set up and works like a charm! I’d definitely recommend trying the trial. Their documentation is top-notch, which makes the Intune integration a breeze.
SCEPman is definitely a good fit for your needs! Out of curiosity, are you using RDP connections? We’ve managed to implement single sign-on with Remote Guard, but the lack of composite authentication is a bit of a letdown.
You might actually leverage your Cisco ISE as the authentication source for Wi-Fi and avoid the hassle of managing your own PKI and RADIUS setup altogether. What kind of wireless access points are you using? If you have Meraki, their documentation has some solid guidance on configuring RADIUS Authentication with WPA2-Enterprise.
Completely agree with using SCEPman along with RADIUSaaS. If you're in an Entra-only setup, NPS with AD might not support computer-based certificates, which makes user-based certs a not-so-great experience for wireless.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures