Intune-Windows

Configure EAP-TLS on Foxpass

Please follow the EAP-TLS initial setup guide to create client CA, server CA and SCEP endpoint if not configured already.

Configure Intune for Initial Setup

📘

If you are configuring SCEP certificates for both Windows and macOS, you only need to follow the initial setup documentation once

Please refer the Intune for Initial Setup documentation to configure Intune initially.

Create Configuration profiles

In the Endpoint manager, now go to devices → configuration profiles

1. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Client CA in the client profile.

2. Create a new profile for Windows 10 using the Trusted certificate template. Upload the Foxpass Server CA cert in the server profile.

3. Create another new profile for Windows 10 using the SCEP certificate template . You can create a profile with either the "User" or "Device" certificate type, depending on your specific use case and requirements.

Option 1: Certificate type - User

For certificate type user, verify if the SCEP settings have been correctly configured in Foxpass.

🚧

You need to make sure that every user has an EmailAddress set in their Azure User Profile. If not, SCEP the profiles will not install.

• Name: Foxpass SCEP
• Certificate type: User
• Subject name format: CN={{UserName}},E={{EmailAddress}}
• Subject alternative name: Add 1 attribute:
  • Email address as {{EmailAddress}}
• Certificate Validity period: Years = 1
• Key storage provider: Enroll to software KSP
• Key usage: Digital Signature
• Key size: 4096
• Hash algorithm: SHA2
• Root certificate: Select cert from Foxpass Client CA from first item in this section
• Extended key usage:
• Add both
  • Any Purpose (2.5.29.37.0)* (optional)
  • Client Authentication (1.3.6.1.5.5.7.3.2)*
• Renewal threshold (%): 10
• SCEP server URL: Foxpass SCEP endpoint from the SCEP page

Option 2: Certificate type - Device

For certificate type device, verify if the SCEP settings have been correctly configured in Foxpass.

To configure the Device certificate type, you have two options: either Sync devices from Azure on the Devices page, or select 'None' for the verification type when creating an SCEP endpoint on the SCEP page.

• Name: Foxpass SCEP
• Certificate type: Device
• CN={{AAD_Device_ID}}
• Subject Alternative Name: Leave it empty.
• Certificate Validity period: Years = 1
• Key storage provider: Enroll to software KSP
• Key usage: Digital Signature
• Key size: 4096
• Hash algorithm: SHA2
• Root certificate: Select cert from Foxpass Client CA from first item in this section
• Extended key usage:
• Add both
  • Any Purpose (2.5.29.37.0)* (optional)
  • Client Authentication (1.3.6.1.5.5.7.3.2)*
• Renewal threshold (%): 10
• SCEP server URL: Foxpass SCEP endpoint from the SCEP page

4. Create a new Wi-Fi profile with these settings:

• Wi-Fi name: Foxpass
• Connection name: (Your SSID)
• Connect automatically: (your choice)
• Hidden network: Disable
• Authentication Mode: Select User for a user certificate and Machine for a device certificate.
• Proxy settings: None
• EAP-Type: EAP-TLS
• Root certificates for server validation: (Choose Foxpass Server CA uploaded previously in this step)
• Certificates: Foxpass SCEP

Now, test

Test by enrolling a sample Windows 10 device: Open settings → Access work or school → Enroll device MDM → Enter your company email and proceed to login to Azure. This will kick off the enrollment process that takes a little while.

If all goes well, you will now be able to see your device enrolled in Intune and the Foxpass Console's EAP-TLS.

You can see Foxpass Client CA and Server CA in "Certificates" under "Trusted Root Certificate Authorities" on your Windows machine.

You can view your Client certificate in "Certificates" under "Personal" category.

You can also see successful/unsuccessful logs on the RADIUS logs page.

Still having problems?

See https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/mem/intune/device-configuration/troubleshoot-wi-fi-profiles.md