question

ZacheryMinton-6968 avatar image
0 Votes"
ZacheryMinton-6968 asked Crystal-MSFT edited

Intune SCEP Wifi Profile wiht Radius NPS

I followed this guide to get SCEP and NDES working



I am trying to Push A working WIFI Profile to Mobile Devices using NPS as the radius Server and I cannot figure out where the issue is.



in Intune I push out the Root CA, a User Certificate with the subject name of CN={<!-- -->{UserPrincipalName}} and then I push out a WIFI EAP-TLS Profile using the Above Certificate



Everything will deploy to the Devices they will get the Root CA, Request a Certificate, and deploy the Wi-Fi profile but when they attempt to connect it fails the Error Message I am getting on the NPS logs is:

Network Policy Server denied access to a user.



Contact the Network Policy Server administrator for more information.

User:

Security ID: Domain\<UserName>

Account Name: <User UPN>

Account Domain: Domain

Fully Qualified Account Name: DOMAIN\<UserName>


Reason code 16

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

On my PC if I do a cert request and use the template that Intune uses I can use that Cert on my PC and it will connect if i export it and manually make the wifi profile on my phone using the requested certificate it will work. it just seems when Intune requests the certificate it doesn't work

Has anyone got this to successfully work with Intune I've been pulling my hair out all week trying to get this working I don't want to do Device Certificates as from what I know I have to make dummy computer accounts in AD for each mobile device and even when I tried that I could not get them to connect either.



My understanding is if the User Certificate SCEP template was using the subject CN={<!-- -->{UserPrincipalName}} it would map to the AD user but this doesn't seem to be the case it doesn't map as when I check the user account in ad for Published certificates its not there they are under the NDES Service account Published Certificates and even then if i export and add it to the user in question and also do a name mapping with that certificate i still get reason code 16


mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@ZacheryMinton-6968, For the error message, it seems there's mismatch when doing authentication. I notice we use user certificate. When we request it manually it is working. But it is not working when request from Intune.

I wonder if our issue is with the certificate subject name. Could you check on one working certificate and one not working certificate to see if the subject is the same?

For the "CN={ {UserPrincipalName}}", based on my understanding, it will use the user principal name of the AAD account. For on premise user, I find there are two Subject name format related. one is CN={ {OnPrem_Distinguished_Name}} and the other is CN={ {OnPremisesSamAccountName}}.Here is a link for the reference:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile

If our issue is that the subject name in the two user certificates are not the same, maybe we can consider to change the NPS to authentication the certificate like samaccountname or distinguished name.

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZacheryMinton-6968 avatar image
0 Votes"
ZacheryMinton-6968 answered ZacheryMinton-6968 commented

I changed the SCEP Certificate Profile to use CN={ {OnPremisesSamAccountName}} and removed the WIFI profile and certificates from the android device and let it sent and push back a certificate was requested and sent to the device and it still results with the same error

If on my domain PC I generate I request a Certificate with the Same info that was sent for the Intune Device it will work using that certificate

The Intune Created Certificate and the PC Requested Certificate have the exact same Subject name and Subject Alterative name.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZacheryMinton-6968,Thanks for the reply.

From your description, I know both the certificates have the same Subject name and Subject Alterative name. How about other fields like Key Usage? Are they the same?

Meanwhile, try to manually create a WiFi profile on the Android device with the certificate we get from Intune to see if it can work?

If there's any update, feel free to let us know.

0 Votes 0 ·

I did compare the EKU and both contain client authentication for the key usage.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT ZacheryMinton-6968 ·

@ZacheryMinton-6968, Thanks for the reply. How about manually create a WIFI profile on the Android device with the certificate we get from Intune, will it work?

0 Votes 0 ·

So what I attempted to do I made a New SECP Configuration profile for Windows 10 and set it up exactly like the SECP Profile on Android and IOS Devices and Waited for it to push out a Certificate to my computer I was able to connect successfully to wifi on my PC using this Certificate I exported it and imported it to my android phone and it will not connect i still get the same error that it doesn't match a user.

on my android phone I have manually made a Profile and imported the PFX that contains the Root CA and it still refuses to connect

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT ZacheryMinton-6968 ·

@ZacheryMinton-6968, From our testing, when we use the same certificate which is working on win10 to connect WIFI on Android, it is failed. It seems the issue is not on certificate or maybe Android WiFi connection needs something specific. Here, we suggest to contact Radius NPS support to check on the issue to get more help. The following is a link with the Phone number we can contact
https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

Thanks for the understanding.

0 Votes 0 ·
Show more comments
ZacheryMinton-6968 avatar image
0 Votes"
ZacheryMinton-6968 answered Crystal-MSFT edited

In the Image Below is from a Android Personal Wifi Profile this Option is missing under Full managed, Corporate Owned Wifi Profile in Intune

132473-screenshot-2021-09-15-124106.png



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZacheryMinton-6968, Thanks for the update. From your description, I know adding "Certificate Server Name" can be working. But for Android Enterprise WiFi profile, there's no option to configure it.

In the official article, the settings is not displayed as well. But after discussing internally, I know although the "Certificate Server Name" is not set in Android Enterprise WiFi profile, it can also work.
https://docs.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-android-enterprise#enterprise

For our issue, we needs to look into more logs to troubleshoot. Like Radius trace log, Android debug log and etc. For example, we can compare the Android debug log on one working device and one not working to see if the identity is correct and if other fields has any different. if the NPS server has sent the certificate to the client end and if the client send back its own certificate. As the log will contain some sensitive information. To protect our environment information, we can also consider opening an Intune Phone case to do log analysis to see if there's any more helpful information we can find on Intune side.
https://docs.microsoft.com/en-us/mem/get-support

Thanks for the understanding. and have a nice day!

0 Votes 0 ·