Foxpass RADIUS with Microsoft Intune PKI

For integrating MSPKI with Foxpass RADIUS, you’ll need a Wi-Fi Access Point supporting WPA-Enterprise, a RADIUS server for authentication, and a Certificate Authority (CA) like MSPKI to issue client certificates. The RADIUS server validates authentication requests against the CA's criteria, checking certificate validity through expiry dates and Certificate Revocation Lists (CRL), since MSPKI currently doesn’t support OCSP. The setup involves configuring these components for secure, certificate-based Wi-Fi access.

Create Root CA

• Go to Tenant Administration in Intune > Cloud PKI > Click 'Create'.

• Give a name to Microsoft PKI and click 'Next'.

• CA type: Root CA
• Validity Period: 10 years
• Extended Key Usages: Server auth (1.3.6.1.5.5.7.3.1) and Client auth (1.3.6.1.5.5.7.3.2)

• Subject attributes: CN - 'Your Microsoft Cloud Root CA name'
• Key size and algorithm: RSA-4096 and SHA-512
• Click 'Next'

• For Scope tags, default is selected automatically. Click 'Next'

• For 'Review +create', click 'Create'. The final root CA will look like below:

• Copy the CRL distribution point and make a note. This will be used and added in Foxpass while uploading client CA.
• Click 'Download' to download the root CA.

Create Issuing CA

• Click on 'Create' under Cloud PKI.
• Give a name and click 'Next'

• CA type: Issuing CA
• Root CA source: Intune
• Root CA: Select the Root CA created earlier.
• Validity period: 6 years
• Extended Key Usages: Client auth (1.3.6.1.5.5.7.3.2)

• Subject attributes: Your Microsoft Cloud Issuing CA name'. Click 'Next'

• For Scope tags, default is selected automatically. Click 'Next'

• For 'Review +create', click 'Create'. The final issuing CA will look like below:

• Now you can see both CA's in Intune.

• The final issuing CA will look like below:

• Copy the CRL distribution point and make a note. This will be used and added in Foxpass while uploading client CA.
• Copy the SCEP URI and make a note. This will be used later while configuring SCEP profile.
• Click ' Download' to download the issuing CA.

Upload CA's to Foxpass

• Go to Foxpass EAP-TLS page and click on 'Upload Client CA' button.
• Upload the Root CA downloaded earlier. Paste the CRL URL which was previously noted.

• Click on 'Upload Client CA' button again.
• Upload the Issuing CA downloaded earlier. Paste the CRL URL which was previously noted.

Create Configuration Profiles

Create Trusted certificate profile for Root CA

• Go to the Configuration Profiles in Intune.
• Click on 'Create' > 'New Policy'.
• Platform: Windows 8.1 and later and Profile Type: Trusted certificate.
• Click 'Create'.

• Give a name to your profile and click 'Next'.
• Upload the root CA which was downloaded in earlier step when Root CA was created.

• Destination store: Computer certificate store - Root
• Add users/ groups/ devices and choose assignment according to your use case.
• Review your settings and click 'Create'.

Create SCEP Profile

• Go to the Configuration Profiles in Intune.
• Click on 'Create' > 'New Policy'.
• Platform: Windows 8.1 and later and Profile Type: SCEP certificate.
• Click 'Create'.

• Give a name to your SCEP profile. Click 'Next'.

• Certificate type: User
• Subject name format: CN={{UserName}},E={{EmailAddress}}
• Subject alternative name: Attribute - Email address and Value - {{EmailAddress}}
• Certificate Validity Period - 1 year
• Key storage Provider: Enroll to Software KSP
• Key usage: Select both Digital Signature and Key encipherment
• Key size: 4096
• Hash algorithm: SHA-2
• Root certificate: Select Root certificate from the dropdown.

• Extended key usage: Select Client Authentication(1.3.6.1.5.5.7.3.2) from the dropdown of Predefined values
• Renewal threshold: 20
• SCEP Server URLs: Paste the SCEP URI noted earlier when Issuing CA was created. Reference screenshot below:
• Click 'Next' button.

• Add users/ groups/ devices and choose assignment according to your use case.

• Review your settings and click 'Create'.

Create profile for Foxpass Server CA

• Go to Foxpass EAP-TLS page.
• Download the active server CA by clicking 'Download CA' button which is located under 'Server Certificate Authorities'.

• Go to the Configuration Profiles in Intune.
• Click on 'Create' > 'New Policy'.
• Platform: Windows 8.1 and later and Profile Type: Trusted certificate.
• Click 'Create'.
• Create a new profile using the Trusted certificate template. Upload the Foxpass Server CA cert download earlier in the server profile.

Create Trusted certificate profile for Issuing CA

• Go to the Configuration Profiles in Intune.
• Click on 'Create' > 'New Policy'.
• Platform: Windows 8.1 and later and Profile Type: Trusted certificate.
• Click 'Create'.
• Give a name to your profile and click 'Next'.

• Upload client issuing CA downloaded previously when Issuing CA was created.
• Destination store: Computer certificate store - Root
• Click 'Next'
• Add users/ groups/ devices and choose assignment according to your use case.
• Review your settings and click 'Create'

Create Wi-Fi profile

• Go to the Configuration Profiles in Intune.
• Click on 'Create' > 'New Policy'.
• Platform: Windows 10 and later and Profile Type: Templates and choose Wi-Fi

• Click 'Create'.
• Give a name to your profile and click 'Next'.

• Wi-Fi type: Enterprise
• Wi-Fi name (SSID): 'Your SSID name'
• Connection name: 'Your SSID name'
• EAP type: EAP-TLS
• Root certificates for server validation: Upload the Foxpass server CA downloaded earlier.
• Authentication method: SCEP certificate
• Client certificate for client authentication (Identity certificate): Select MSPKI SCEP profile created earlier.

• Add users/ groups/ devices and choose assignment according to your use case.
• Review your profile and click 'Create'.

Connect to a Windows device

Test by enrolling a sample Windows 10 device: Open settings → Access work or school → Enroll device MDM → Enter your company email and proceed to login to Azure. This will kick off the enrollment process that takes a little while.

If all goes well, you will be able to connect to your configured SSID.