Intune SCEP Wifi Profile wiht Radius NPS

Zachery Minton 1 Reputation point
2021-09-10T13:44:09.727+00:00

I followed this guide to get SCEP and NDES working

I am trying to Push A working WIFI Profile to Mobile Devices using NPS as the radius Server and I cannot figure out where the issue is.

in Intune I push out the Root CA, a User Certificate with the subject name of CN={<!-- -->{UserPrincipalName}} and then I push out a WIFI EAP-TLS Profile using the Above Certificate

Everything will deploy to the Devices they will get the Root CA, Request a Certificate, and deploy the Wi-Fi profile but when they attempt to connect it fails the Error Message I am getting on the NPS logs is:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: Domain\<UserName>

Account Name: <User UPN>

Account Domain: Domain

Fully Qualified Account Name: DOMAIN\<UserName>

Reason code 16

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

On my PC if I do a cert request and use the template that Intune uses I can use that Cert on my PC and it will connect if i export it and manually make the wifi profile on my phone using the requested certificate it will work. it just seems when Intune requests the certificate it doesn't work

Has anyone got this to successfully work with Intune I've been pulling my hair out all week trying to get this working I don't want to do Device Certificates as from what I know I have to make dummy computer accounts in AD for each mobile device and even when I tried that I could not get them to connect either.

My understanding is if the User Certificate SCEP template was using the subject CN={<!-- -->{UserPrincipalName}} it would map to the AD user but this doesn't seem to be the case it doesn't map as when I check the user account in ad for Published certificates its not there they are under the NDES Service account Published Certificates and even then if i export and add it to the user in question and also do a name mapping with that certificate i still get reason code 16

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,301 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 42,631 Reputation points Microsoft Vendor
    2021-09-13T02:04:22.207+00:00

    @Zachery Minton , For the error message, it seems there's mismatch when doing authentication. I notice we use user certificate. When we request it manually it is working. But it is not working when request from Intune.

    I wonder if our issue is with the certificate subject name. Could you check on one working certificate and one not working certificate to see if the subject is the same?

    For the "CN={{UserPrincipalName}}", based on my understanding, it will use the user principal name of the AAD account. For on premise user, I find there are two Subject name format related. one is CN={{OnPrem_Distinguished_Name}} and the other is CN={{OnPremisesSamAccountName}}.Here is a link for the reference:
    https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile

    If our issue is that the subject name in the two user certificates are not the same, maybe we can consider to change the NPS to authentication the certificate like samaccountname or distinguished name.

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Zachery Minton 1 Reputation point
    2021-09-13T16:26:33.373+00:00

    I changed the SCEP Certificate Profile to use CN={{OnPremisesSamAccountName}} and removed the WIFI profile and certificates from the android device and let it sent and push back a certificate was requested and sent to the device and it still results with the same error

    If on my domain PC I generate I request a Certificate with the Same info that was sent for the Intune Device it will work using that certificate

    The Intune Created Certificate and the PC Requested Certificate have the exact same Subject name and Subject Alterative name.

  3. Zachery Minton 1 Reputation point
    2021-09-15T16:42:32.14+00:00

    In the Image Below is from a Android Personal Wifi Profile this Option is missing under Full managed, Corporate Owned Wifi Profile in Intune

    132473-screenshot-2021-09-15-124106.png