Intune - TTLS-PAP with IronWiFi PKI

Configuration of TTLS-PAP - protocol sending credentials over encrypted TLS tunnel

This is a guide for setting up TTLS-PAP with IronWiFi's multi-tiered HSM based Certificate Authority and Microsoft Intune to provision Windows OS based devices, using user profile.

What do you need ?


  • IronWiFi Root CA Certificate - certificate of the IronWiFi Root Certificate Authority - iw-rsa-root-ca.cert.crt. The file can be downloaded from this link

  • IronWiFi Intermediate Certificate - certificate of the IronWiFi Intermediate Certificate Authority signing the CSR requests - iw-rsa-intermediate-ca.cert.crt. The file can be downloaded from this link

1. Sign in to the Microsoft Intune management console

Screenshot 2023-03-23 9.14.05 AM

2. Navigate to Devices > Windows > Configuration Profiles

3. Click Create > New Policy and choose the Platform: Windows 10 and later, Profile type: Templates and search for Trusted Certificate template

 

4. Add the certificate with the following configuration settings:

  • Name - IW TTLS Root CA
  • Certificate file - iw-rsa-root-ca.cert.crt downloaded from the link above.
  • Destination store - Computer certificate store - Root

5. Select correct Assignments and Applicability Rules:

!NOTE! Make sure that you are using USER based assignments for all profiles.

6. Review and create the profile

7. Create another Configuration Profile for Trusted certificate repeating the steps from step 4 with following configuration settings:

  • Name - IW TTLS Intermediate CA
  • Certificate file - iw-rsa-intermediate-ca.cert.crt downloaded from the link above.
  • Destination store - Computer certificate store - Intermediate

8. Select correct Assignments and Applicability Rules and review and create the profile as you have done when adding Root CA

9. Create Configuration Profile for WiFi using steps from step 4, this time selecting Wi-Fi template:

14. Select type: Enterprise and use the following settings:


  • Wi-Fi name - Your SSID
  • Connection name - Your connection name
  • Connect automatically when in range - Yes
  • Connect to more preferred network if available - No
  • Connect to this network, even when it is not broadcasting its SSID - Yes
  • Metered Connection Limit - Unrestricted
  • Authentication Mode - User
  • Single sign-on (SSO) - Disable
  • EAP type - EAP - TTLS
  • Certificate server names - radius.ironwifi.com
  • Root certificates for server validation - The trusted certificates created in previous steps - IW TTLS Intermediate CA, IW TTLS Root CA
  • Authentication method - Username and password
  • Non-EAP method (Inner identity) - Unencrypted password (PAP)