This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Dear ppl,
Just wondering if NPS Network Policy Server can only do AD existed devices authentication (CA RootCA certificate based) and User based Authentication to 802.1x Wifi? It won't be able to do certificate-based authentications to any Intune Enrolled (SCEP or PKCS) devices (None Domain Joined iPads and Android etc), might have to look into different Cloud Radius solution?
Thanks a lot
Larry
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Network Policy Server (NPS) primarily integrates with Active Directory for device authentication and supports user-based authentication for 802.1x Wi-Fi. However, if you need certificate-based authentication for non-domain joined devices like iPads and Android devices enrolled in Intune, you might need to explore cloud-based RADIUS solutions that support the integration you require, such as those offered by Intune or other third-party providers.
That is what I thought too. So it is actually pointless to implement InTune certificate connector to roll out SCEP or PKCS for 802.1x Wifi if we only have on prem NPS server, is that right? What would be other security advantages or disadvantages if we set up InTune Cert Connector of SCEP or PKCS?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Namless Shelter, Thanks for posting in Q&A. If you only have an on-premises NPS server and want to perform certificate-based authentication for Intune-enrolled devices, you may need to consider a cloud RADIUS solution.
Deploying an Intune Certificate Connector for SCEP or PKCS can provide additional security benefits, such as simplifying certificate deployment and management for Intune-enrolled devices. However, it may not be necessary if you only have an on-premises NPS server and cannot perform certificate-based authentication for Intune-enrolled devices without a RADIUS proxy.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks so much,
I guess if we still go ahead doing PKCS (InTune Certificate Connector) to send auto enrolled certificates to AdJoined and None-Adjoined devices. And do an additional configuration profile of 802.1x Wifi policy with a RootCA cer file to Ad-Joined Windows and Mac, it will be enough for our infrastructure. We will end up having Ad Joined Device connecting to internal 802.1x Wifi as well as securer way of handling Certificates etc? We won't need to do nDES etc for extra complexities, correct? As we have a On-Prem NPS, which doesn't do certificate authenticate to None Domain Joined Devices any way, might as well keep it this way.
Thanks
Nameless
@Namless Shelter, Thanks for the reply. From your description, it seems the non domain joined device doesn't do certificate authentication. And it seems the certificate authentication is only for domain joined device. If we use Intune to deploy PKCS certificate, configure WiFi profile and deploy Trusted certificate for Root CA to these devices, we can check if current existing subject name format in PKCS support the authentication, I think it's OK. And there's no need to configure NDES which is for SCEP certificate.
https://video2.skills-academy.com/en-us/mem/intune/protect/certificates-pfx-configure
Thanks for that.
If I select User Based Authentication, does it mean I need to specify Username and Password within InTune Configuration Profile?
Thanks
@Namless Shelter, Thanks for the reply. If you choose user-based authentication, based on my understanding, the WiFi profile needs to set to authenticate with username and password.
@Namless Shelter, Hope things are going well. If there's anything else we can help, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
NPS Server can work on device that joint on Intune platform. However you will need to configure the network policy on Intune platform.
For further details, please kindly refer to Microsoft Official Documentation below:
https://video2.skills-academy.com/en-us/mem/intune/configuration/wi-fi-settings-configure
To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.
Best regards,
Jill Zhou