This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have been having issues with the Intune Wifi Profile that is unable to connect to our corporate wireless network. We have created a Trusted Root and PKCS cert from our CA. EAP-TLS certificate authentication. All profiles successfully deploy to our iOS BYOD devices. I can see the issued cert in our CA logs and the profiles on the iOS devices. When it comes time for the device to auto join the corporate network, the iOS devices are unable to join the network. It will make several attempts but it never connects.
We tested the PKCS cert and made sure all settings followed the Microsoft KB article. I removed the Wifi profile from the devices. Selected the company SSID and chose the EAP-TLS option > the identity cert that was pushed from Intune > then was able to join the network without an issue. We ruled out the cert being an issue since our Cisco ISE APs accepted the user cert for authentication.
For some odd reason, when we deploy the wifi profile via intune, it cant join. The parameters of the wifi profile are correct.
Has anyone run into issues with Intune Wifi profiles and Cisco ISE APs?
@M360 , From your description, it seems when we manually connect the WIFI with the certificate deployed via Intune. It is working. But when we deploy the WIFI profile, it failed. If there's any misunderstanding, please let us know.
I notice we have Cisco ISE. Is it the one which mentioned in the following link? If so please ensure Integrate Cisco ISE MDM with Microsoft Intune is done.
https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-mdm-with-microsoft-intune/ta-p/4187375
Note: Non-Microsoft link, just for the reference.
On device side, it will make several attempts but not connect. Could you check on the network to see if the request have passed to WiFi server and what is the error we get?
If there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
I found the solution to this issue. In the WIFI Enterprise Intune Profile, I had to add not only the FQDN of the servers, but also the SHA1/SHA256 fingerprints of the CA server and Cisco ISE cert to the Certificate Server Names list. No spaces or colons for the fingerprints format. I dont see this documented anywhere but I'd highly recommend this to be added to a Microsoft KB article such as:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-wi-fi-profiles
or
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure
Once the fingerprints were added to the WIFI profile and the devices checked into Intune, the devices auto joined the corporate network via EAP-TLS certificate based authentication (PKCS User cert).
I can confirm this worked for both Android and iOS BYOD enrollments.
This can save a lot of time for another user who runs into similar issues. Not even MS Intune Support had a solution for this issue.
@M360 , Thanks for the sharing the solution. I am glad to hear that the issue is resolved. To help other easy find the solution, please let me write a summary for the issue:
Issue description:
=====================
Intune iOS/Android WiFi Enterprise Profile Assigned But Unable to Connect to Wireless SSID via WiFi Profile. But When it connects manually, it works.
Resolution:
=====================
In the WIFI Enterprise Intune Profile, Add the FQDN of the servers , SHA1/SHA256 fingerprints of the CA server and Cisco ISE cert to the Certificate Server Names list. It works.
Meanwhile, I will try my best to feedback the information to see if we can add more information to make the document better understand
Thanks for your time and have a nice day!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @M360 ,
I am having the same issue with iOS devices connecting to SSID with EAP-TLS authentication.
What we have is a global Root CA, with an intermediate CA and a NAC server using a dedicated certificate.
Should I had more to the Wi-Fi profile, such as Root CA URL or FQDN, Intermediate CA URL or FQDN, and/or fingerprints of those certificates ?
To cross test this, I created a second SSID to test the manual mode. Once all the right certificates are deployed onto iOS, the manual authentication using PKCS works perfectly. I am down to the actual Wi-Fi profile into Intune.
What worked for you ? Could you be a little more specific ?
Thanks in advance,
I am having the same issue when I deploy via Intune. It works fine when I connect on the iPad without first deploying the wifi configuration profile via Intune, but once I deploy the configuration it just fails to connect. I have tried to add the fingerprints and that didn't help. Do you have any more suggestions to check?
Hello @M360 ,
I am having the same issue with iOS devices connecting to SSID with EAP-TLS authentication.
What we have is a global Root CA, with an intermediate CA and a NAC server using a dedicated certificate.
Should I had more to the Wi-Fi profile, such as Root CA URL or FQDN, Intermediate CA URL or FQDN, and/or fingerprints of those certificates ?
To cross test this, I created a second SSID to test the manual mode. Once all the right certificates are deployed onto iOS, the manual authentication using PKCS works perfectly. I am down to the actual Wi-Fi profile into Intune.
What worked for you ? Could you be a little more specific ?
Thanks in advance,
Wow! I've been looking at this EXACT issue all week and you have saved me a load of troubleshooting time. Adding the SHA1/SHA2 fingerprints worked for me also. I have no idea why this would be needed though! Did you log this to MS support?
Wow! I've been looking at this EXACT issue all week and you have saved me a load of troubleshooting time. Adding the SHA1/SHA2 fingerprints worked for me also. I have no idea why this would be needed though! Did you log this to MS support?
Sign in to comment