Meraki Certificate Based Authentication : Nelson Brothers IT Helpdesk

When adding a new SSID: 
Copy Settings from existing SSID. Ensure that you upload the RootCA server certificate from CA02 to the Meraki SSID. Save config profile and enable the SSID. Users that are added to the MerakiAuthenticationGroup will now be able to connect to the SSID.  

IMPROTANT: Only 3 certificates and a Wi-Fi profile need to be pushed in Intune. RootCA server (device) certificate needs to be uploaded to Meraki SSID.  

The following Wi-Fi template is pushed to devices:
MerkaiSCEPWifiAuthenticationTemplate

The following 3 certificates are pushed to devices:

RootCA, MerakiIDENTrustROOT, WifiSCEPCert

Follow this and look to the rest of this documentation for more details:
Deploy SCEP Certificate Connector Intune - NielsKok.Tech

Enable service logon | Microsoft Learn ß make sure to apply these permissions in addition to IIS and administrator group for service account.

Detailed Youtube Guide
S03E14 - Configuring NDES for SCEP Certificate Deployment (I.T)
S03E15 - Deploying SCEP certificates to Windows devices (I.T)
S04E06 - Network Access Control with Cisco ISE & Intune - (I.T)

Overview of the Solution

Certificate Authority (CA): Set up a local CA to issue SCEP certificates to devices.

Intune: Use Microsoft Intune and the Certificate Connector to manage devices and distribute SCEP certificates automatically.

Cisco Meraki: Configure the Meraki wireless infrastructure to require SCEP certificates for authentication.

Overview of Certificate Connector for Microsoft Intune - Azure | Microsoft Learn

Capabilities of the certificate connector

The Certificate Connector for Microsoft Intune supports:

PKCS #12 certificate requests.

PKCS imported certificates (PFX file) for S/MIME email encryption for a specific user.

Issuing Simple Certificate Enrollment Protocol (SCEP) certificates. When you use an Active Directory Certificate Services Certification Authority (CA), also called a Microsoft CA, you must also configure the Network Device Enrollment Service (NDES) on the server that hosts the connector.

Use of SCEP with a third-party Certification Authority, doesn’t require use of the Certificate Connector for Microsoft Intune.

Certificate revocation.

Automatic updates to new versions. When servers that host the certificate connector can access the internet, they automatically install new updates to stay current. When a connector fails to automatically update, you can manually update the connector.

Installation of up to 100 instances of the connector per Intune tenant, with each instance on a separate Windows Server. When you use multiple connectors:

Each instance of the connector must have access to the private key used to encrypt the passwords of each uploaded PFX file.

Each instance of the connector should be at the same version. Because the connector supports automatic updates to the newest version, updates can be managed for you by Intune.

Your infrastructure supports redundancy and load balancing, as any available connector instance that supports the same connector features can process your certificate requests.

You can configure a proxy to allow the connector to communicate with Intune.

Certificate Connector should not be installed on the same server as Intune Connector for Active Directory.

Overview of Solution

Set Up Certificate Authority (CA): Install and configure a local CA to issue SCEP certificates.

Configure SCEP: Set up a SCEP template and the Certificate Connector.

Distribute CA Certificate via Intune: Use Intune to distribute the CA certificate to devices.

Enroll SCEP Certificates Automatically: Use Intune to automatically enroll SCEP certificates.

Configure Cisco Meraki for EAP-TLS: Set up the Meraki wireless network to authenticate using SCEP certificates.

Test the Configuration: Ensure that devices can connect using the certificates.

General Prerequisites

Requirements for the computer where you install the connector software:

Windows Server 2012 R2 or later.

o support Simple Certificate Enrollment Protocol (SCEP) certificates, the Windows Server that hosts the connector must meet the following prerequisites in addition to the general prerequisites:

IIS 7 or higher

Network Device Enrollment Service (NDES) service, which is part of the Active Directory Certification Services role. The connector isn't supported on the same server as your issuing Certification Authority (CA). For more information, see Configure infrastructure to support SCEP with Intune.
 Note

The Server installation must include the Desktop Experience and support use of a browser. For more information, see Install Server with Desktop Experience in the Windows Server 2016 documentation.

On the Windows Server, select to add the following Server Roles and Features:

Server Roles:

Active Directory Certificate Services

Web Server (IIS)

Features:

.NET Framework 4.7 Features

.NET Framework 4.7

ASP.NET 4.7

WCF Services

HTTP Activation

AD CS > Role Services:

Network Device Enrollment Service - For the connector SCEP when you use a Microsoft CA, install, and configure the Network Device Enrollment Service (NDES) server role. When you configure NDES, you need to assign a user account for use by the NDES application pool. NDES also has its own requirements.

Web Server Role (IIS) > Role Services:

Security

Request Filtering

Application Development

.NET Extensibility 4.7

ASP.NET 4.7

Management Tools

IIS Management Console

IIS 6 Management Compatibility

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

In addition, NDES requires the following.NET Framework 3.5 Features:

.NET Framework 3.5

HTTP Activation

Requirements for SCEP certificate templates:

Certificate templates you use for SCEP requests must be configured with permissions that allow the Certificate Connector service account to auto enroll the certificate.

The certificate templates must be added to the CA.

Transport Layer Security (TLS) 1. 2. For more information, see Enable support for TLS 1.2 in your environment in the Microsoft Entra documentation.
PowerShell script to enable TLS 1.2

The server must meet the same network requirements as managed devices. See Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth.

To support automatic updates of the connector software, the server must have access to the Azure update service:

Port: 443

Endpoint: autoupdate.msappproxy.net

The Enhanced Security Configuration must be deactivated.

On the Certificate connector server Enable Service Logon for the service account.

Enable service logon | Microsoft Learn

Certificate connector service account

The certificate connector requires an account to use as a service account. This account is used by the connector to access the Windows Server, communicate with Intune, and access the Certification Authority to service PKI requests.

The connector service account must have the following permissions:

Logon as Service

Issue and Manage Certificates permissions on the Certification Authority (required only for revocation scenarios).
Certification Authority MMC snap-in, right-click on the CA name and select Properties. On the Security tab, add the group and grant it Read, Log on as a service, Issue and Manage Certificates and Request Certificates permissions.

Read and Enroll permissions on any certificate template that you use to issue certificates.

Permissions to the Key Storage Provider (KSP) that’s used by PFX Import. See Import PFX Certificates to Intune.

The following options are supported for use as the certificate connector service account:

SYSTEM

Domain user - Use any domain user account that is an administrator on the Windows Server.

Step-by-Step Implementation Guide

Step 1: Set Up Certificate Authority

Install AD Certificate Services:

Open Server Manager.

Add the Active Directory Certificate Services role.

Choose Certification Authority during the setup.

Configure CA:

After installation, configure the CA as an Enterprise CA with default settings.

Step 2: Configure SCEP and Certificate Connector

Configure infrastructure to support SCEP certificate profiles with Microsoft Intune | Microsoft Learn

Create SCEP Certificate Template:

Open Certificate Templates console (certtmpl.msc).

Duplicate the “User” template (or another suitable template).

Name it (e.g., "Intune SCEP Certificate").

In the Security tab, add the Intune service account with “Enroll” permissions.

In the Subject Name tab, choose “Supply in the request.”

Publish the SCEP Template:

Open the Certificate Authority console.

Right-click on Certificate Templates and select “New” > “Certificate Template to Issue.”

Select your new SCEP certificate template and click OK.

Install Certificate Connector on server separate from CA:

Download the Microsoft Intune Certificate Connector from the Microsoft site.

Install it on a Windows server in your environment, ensuring it can communicate with your CA and Intune.

Add the functionalities and roles required by the Certificate Connector.

Uninstall and Reinstall the Certificate Connector.

Configure the Certificate Connector:

Add Service account to local IIS_IUSRS group in Computer Management How to add an account to the local IIS_IUSRS group on both servers.

 Assigned the Logon as a service right for the service account in group policy editor on both servers. Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment> Log on as a service

Ensure that Certificate Connector Server is targeting the Root CA Server. You can check this in MMC under Certificate Authority.

Open the Certificate Connector configuration tool.

Configure the connector to use your CA and the published SCEP template.

Step 3: Distribute CA Certificate via Intune

Create trusted certificate profiles in Microsoft Intune | Microsoft Learn

Export CA Certificate:

Export the Root CA certificate from the CA server using certmgr.msc
To identify the root certificate check if Issuer and Subject fields for equality.

Right click > all tasks > export > file location as .cer

Import CA Certificate in Intune:

In the Intune Admin Center, navigate to Devices > Configuration > Policies > Trusted Certificate

Import the CA certificate and create the Trusted Certificate.

Step 4: Enroll SCEP Certificates Automatically

Create SCEP Certificate Enrollment Profile:

In Intune, go to Devices > Configuration profiles > Create profile.

Choose Windows 10 and later for Platform and SCEP certificate for Profile type.

Select the Root CA Trusted Certificate we just create in Intune.

Enter the SCEP Server URL http://FQDN/certsrv/mscep/mscep.dll

Certificate Validity period: 3 days

KSP: Enroll to TPM KSP, otherwise Fail

Key Usage: Digital Signature, Key Encipherment

Key Bits: 2048

Hash SHA-2

Extended Key Usage: Client Authentication

Configure the Profile:

Set the Certificate Authority to your local CA.

Choose the SCEP template created for SCEP certificates.

For Subject name, use a suitable configuration (e.g., DNS name or device name).

Assign the Profile:

Assign the profile to the relevant device group.

Step 5: Configure Cisco Meraki for EAP-TLS

Access Meraki Dashboard:

Log into your Cisco Meraki Dashboard.

Set Wireless Configuration:

Navigate to Wireless > Configure > Access Control.

Set the “Authentication” method to “WPA2 Enterprise with my RADIUS server.”

Enter RADIUS server details (IP, port, and shared secret).

Enable 802.1X Authentication:

Setup with Cloud PKI (These steps were referenced to implement via CA server instead of PKI) :

Choose EAP-TLS as the authentication method, requiring SCEP certificates.
Step-by-step walkthrough

The setup of the Microsoft Cloud PKI. Within Microsoft Intune navigate to Tenant administration > Cloud PKI and click on Create:

Root CA Creation

On the creation wizard fill in the name of the new Root CA

Select the CA type: Root CA with a Validity period: 25 years.

Extended Key Usages: select as minimum Server Auth and Client Auth. But you can add more if you wish.

Fill in all subject attributes for maximum compatibility

O as “your company name”

OU as “IT”

C as “2 digit country code”

ST as “your state”

Locality as “en-us” or “en-gb” or “en-au” or just leave this one blank, no big deal.

For the key size and algorithm, I’ve chosen the strongest one RSA-4096 and SHA-512

Then click next.

Issuing CA Creation

Let’s proceed with the Issuing CA by doing basically the same again and using CA type Issuing CA. We start with the name of the Issuing CA:

Choose the CA type Issuing CA

Select your newly created Intune based Root CA.

Validity period I chose the maximum of 10 years

The Extended Key Usages (EKU) can be chosen based on the ones I’ve added to the Root CA.

Extended Key Usages: select as minimum Server Auth and Client Auth. But you can add more if you wish.

Fill in the Subject attributes and the key size as per Root CA

Finally on the summary page, click on Create:

Now we are going to download the Root CA and Issuing CA certificate, as we want to deploy them later to our devices.

Click on the Root CA, select properties and then click on the Button Download to download the certificate.

Repeat for the Issuing CA

Also for the Issuing CA, copy/save the SCEP URI, we need this in Part 3

Part 2 – Meraki SSID.

Set SSID to Enabled

Under Security, select Enterprise with Local Auth

Certificate authentication Enabled

Password authentication Disabled

Download the IdenTrust Root CA cert and put it with your previously downloaded Root CA and Issuing CA certificates. You will deploy this to your devices later with Intune. Here is a copy of it for convenience.

A screenshot of a computer Description automatically generated

LDAP set to Do not verify with LDAP

OCSP set to Do not verify certificate with OCSP (at least until intune cloud PKI decides to support this function.)

Upload the certificate of your Issuing CA. In our instance this is the Root CA CA02. This will be the device certificate and not the Root Certificate.