question

M360-2774 avatar image
0 Votes"
M360-2774 asked Jessie-6497 published

Intune iOS Wifi Enterprise Profile Assigned But Unable to Connect to Wireless SSID via Wifi Profile

We have been having issues with the Intune Wifi Profile that is unable to connect to our corporate wireless network. We have created a Trusted Root and PKCS cert from our CA. EAP-TLS certificate authentication. All profiles successfully deploy to our iOS BYOD devices. I can see the issued cert in our CA logs and the profiles on the iOS devices. When it comes time for the device to auto join the corporate network, the iOS devices are unable to join the network. It will make several attempts but it never connects.

We tested the PKCS cert and made sure all settings followed the Microsoft KB article. I removed the Wifi profile from the devices. Selected the company SSID and chose the EAP-TLS option > the identity cert that was pushed from Intune > then was able to join the network without an issue. We ruled out the cert being an issue since our Cisco ISE APs accepted the user cert for authentication.

For some odd reason, when we deploy the wifi profile via intune, it cant join. The parameters of the wifi profile are correct.

Has anyone run into issues with Intune Wifi profiles and Cisco ISE APs?

mem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered DouaillyYann-9656 commented

@M360-2774, From your description, it seems when we manually connect the WIFI with the certificate deployed via Intune. It is working. But when we deploy the WIFI profile, it failed. If there's any misunderstanding, please let us know.

I notice we have Cisco ISE. Is it the one which mentioned in the following link? If so please ensure Integrate Cisco ISE MDM with Microsoft Intune is done.
https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-mdm-with-microsoft-intune/ta-p/4187375
Note: Non-Microsoft link, just for the reference.

On device side, it will make several attempts but not connect. Could you check on the network to see if the request have passed to WiFi server and what is the error we get?

If there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

M360-2774 avatar image M360-2774 ·

Hello,

I found the solution to this issue. In the WIFI Enterprise Intune Profile, I had to add not only the FQDN of the servers, but also the SHA1/SHA256 fingerprints of the CA server and Cisco ISE cert to the Certificate Server Names list. No spaces or colons for the fingerprints format. I dont see this documented anywhere but I'd highly recommend this to be added to a Microsoft KB article such as:

https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-wi-fi-profiles
or
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure

Once the fingerprints were added to the WIFI profile and the devices checked into Intune, the devices auto joined the corporate network via EAP-TLS certificate based authentication (PKCS User cert).

I can confirm this worked for both Android and iOS BYOD enrollments.

This can save a lot of time for another user who runs into similar issues. Not even MS Intune Support had a solution for this issue.

0 Votes 0 ·
DouaillyYann-9656 avatar image DouaillyYann-9656 M360-2774 ·

Hello @M360-2774,

I am having the same issue with iOS devices connecting to SSID with EAP-TLS authentication.

  • Manually, selecting PKCS certificate, EAP-TLS, and answering "Trust" to the pop-up page showing the NAC EAP FQDN, it works

  • I tried to use SHA1, SHA256 fingerprints of the NAC EAP FQDN certificates to the "Certificate Server Names" and it is not working.

What we have is a global Root CA, with an intermediate CA and a NAC server using a dedicated certificate.

Should I had more to the Wi-Fi profile, such as Root CA URL or FQDN, Intermediate CA URL or FQDN, and/or fingerprints of those certificates ?

To cross test this, I created a second SSID to test the manual mode. Once all the right certificates are deployed onto iOS, the manual authentication using PKCS works perfectly. I am down to the actual Wi-Fi profile into Intune.

What worked for you ? Could you be a little more specific ?

Thanks in advance,

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered DouaillyYann-9656 commented

@M360-2774, Thanks for the sharing the solution. I am glad to hear that the issue is resolved. To help other easy find the solution, please let me write a summary for the issue:

Issue description:

=====================
Intune iOS/Android WiFi Enterprise Profile Assigned But Unable to Connect to Wireless SSID via WiFi Profile. But When it connects manually, it works.

Resolution:

=====================
In the WIFI Enterprise Intune Profile, Add the FQDN of the servers , SHA1/SHA256 fingerprints of the CA server and Cisco ISE cert to the Certificate Server Names list. It works.

Meanwhile, I will try my best to feedback the information to see if we can add more information to make the document better understand

Thanks for your time and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DouaillyYann-9656 avatar image DouaillyYann-9656 ·

Hello @M360-2774,

I am having the same issue with iOS devices connecting to SSID with EAP-TLS authentication.

  • Manually, selecting PKCS certificate, EAP-TLS, and answering "Trust" to the pop-up page showing the NAC EAP FQDN, it works

  • I tried to use SHA1, SHA256 fingerprints of the NAC EAP FQDN certificates to the "Certificate Server Names" and it is not working.

What we have is a global Root CA, with an intermediate CA and a NAC server using a dedicated certificate.

Should I had more to the Wi-Fi profile, such as Root CA URL or FQDN, Intermediate CA URL or FQDN, and/or fingerprints of those certificates ?

To cross test this, I created a second SSID to test the manual mode. Once all the right certificates are deployed onto iOS, the manual authentication using PKCS works perfectly. I am down to the actual Wi-Fi profile into Intune.

What worked for you ? Could you be a little more specific ?

Thanks in advance,

0 Votes 0 ·
Jessie-6497 avatar image
0 Votes"
Jessie-6497 answered Jessie-6497 published

I am having the same issue when I deploy via Intune. It works fine when I connect on the iPad without first deploying the wifi configuration profile via Intune, but once I deploy the configuration it just fails to connect. I have tried to add the fingerprints and that didn't help. Do you have any more suggestions to check?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.