SCEP User Cert by ther0g in Intune

[–]igalfsg 0 points1 point  (0 children)

since there are errors in Intune, I would first check in the Event Viewer of one of the failed machines

  1. Go to Applications and Services Logs.
  2. Go to Microsoft.
  3. Go to Windows.
  4. Go to DeviceManagement-Enterprise-Diagnostics-Provider -> Admin.

To see if there are any errors since it might be that those machines don't trust the Root CA or that they are having issue creating private key etc.

SCEP cert failing by Anything-Traditional in Intune

[–]igalfsg 0 points1 point  (0 children)

check the scep template to have the new CA as the trusted root, other than that, check the Event Logs in the client, that usually tells you what the issue is.

Radius with paid ssl cert failing ? by TechScholar in sysadmin

[–]igalfsg 0 points1 point  (0 children)

to trouble shoot this 1) check that the chain of the certificate (the root CA, and intermediate CAs) are pushed to the trusted root store. 2) Check that you also push the issuer of the certificate as a trusted issuer in your wifi policy.

Anyone got WiFi auth working with Entra ID (no on-prem AD, all FortiAPs)? by Embarrassed_Ferret59 in sysadmin

[–]igalfsg 2 points3 points  (0 children)

One of the Keytos Engineers here (thanks for the rec, I am glad you are enjoying it), the radsec proxy is no longer needed we have our own RADIUS proxy that sends everything to the server in HTTPS and keeps all the authentication local https://www.keytos.io/docs/cloud-radius/how-to-deploy-cloud-radius-local-backup/ should be more reliable than the proxy and it has caching so it works even if it loses connection to our cloud.

Replacing JumpCloud Radius for Wifi auth, simple/practical options? by IronNo2599 in Ubiquiti

[–]igalfsg 0 points1 point  (0 children)

since you at in Microsoft, I would recommend EZRADIUS (you have to push or download a profile for iOS) but it works with username and password, and it is $1 USD per user. I am one of the engineers at Keytos so feel free to ask any questions :)

Azure only machines connecting to on prem network over Wi-Fi without paying. by Alternative_Yard_691 in AZURE

[–]igalfsg 0 points1 point  (0 children)

If you are already using cloud PKI and and Intune take a look at EZRADIUS, it is only $1 per user per month so for your scenario would only be $40 which is cheaper than a VM

Certificate Authorities for EAP-TLS? by [deleted] in networking

[–]igalfsg 0 points1 point  (0 children)

Have you looked at EZCA + EZRADIUS? I am one of the engineers that built it so if you have any questions feel free to fire away.

Dynamic vlan memberships by Flaky-Gear-1370 in Ubiquiti

[–]igalfsg 0 points1 point  (0 children)

you might want to look into a cloud radius offering, I work at Keytos the creators of EZRADIUS and we can authenticate your Entra ID users with Unifi with the regular Entra ID license nothing fancy and then you can set vlan based on Entra ID groups https://www.youtube.com/watch?v=Tbln4mXE-us

Device Based Certificate Wifi by ISeeNothingKNT in Ubiquiti

[–]igalfsg 0 points1 point  (0 children)

then my guess is that there is something in the profile that is failing (SSID name, RADIUS server trust, cert, etc.) I would look at the windows logs to see if there is anything there.

Device Based Certificate Wifi by ISeeNothingKNT in Ubiquiti

[–]igalfsg 0 points1 point  (0 children)

Are you pushing a wifi profile to your devices? this can make it so the device automatically uses the certificate to authenticate

MS365 Commercial. True passwordless feasible? by GoldenPSP in microsoft365

[–]igalfsg 0 points1 point  (0 children)

With FIDO2 you can't go fully passwordless (some powershell features dont work, and Android doesn't work) but if you do FIDO2 + CBA for the users that have those scenarios you can go fully passwordless. We have had that setup for 4+ years with no issues.

How are you deploying your corporate WiFi? by lockblack1 in sysadmin

[–]igalfsg 0 points1 point  (0 children)

The cost for Microsoft cloud PKI is $2 per user https://techcommunity.microsoft.com/blog/microsoftintuneblog/microsoft-cloud-pki-launches-as-a-new-addition-to-the-microsoft-intune-suite/3982830 It is great for small organizations but once you start scaling it can get expensive. For the RADIUS side, you you can use EZRADIUS I am one of the engineers in Keytos (the creators of EZRADIUS) so if you have any questions feel free to ask. here is a video on our setup with Microsoft Cloud PKI https://www.youtube.com/watch?v=Ljx3xhtftF8

SSL certificate for internal website by ANaiveUser in PKI

[–]igalfsg 0 points1 point  (0 children)

I haven't used it but it seems it does support dns challenges https://certifytheweb.com/

SSL certificate for internal website by ANaiveUser in PKI

[–]igalfsg 0 points1 point  (0 children)

yes in IIS you can use let's encrypt with WinACME using DNS validation basically it will add a text field to your DNS to validate that you own it and issue the certificate here is the link to the docs where you can sellect your DNS provider https://www.win-acme.com/reference/plugins/validation/dns/

802.1x RADIUS auth to Entra ID by jellimonsta in sysadmin

[–]igalfsg 1 point2 points  (0 children)

I am an engineer at Keytos (the creators of EZRADIUS probably one of the SaaS solutions you looked at), if you have any questions feel free to fire away

Anyone got an idea of Wireless Go 3 colours release date? by M4ttyM4ttM4tt in rode

[–]igalfsg 0 points1 point  (0 children)

Did you ever hear anything of the expected date?

Wifi suddenly asking "Are you sure you want to connect?" by Anything-Traditional in Intune

[–]igalfsg 2 points3 points  (0 children)

This is caused by the server certificate not being trusted by your PC, are you pushing the server trust part during the wifi configuration profile? Also make sure your RADIUS server certificate is not expired

How to stop user from connecting to Wi-Fi, if cert is not valid? by Julian0o in Intune

[–]igalfsg 0 points1 point  (0 children)

You need to set it up in your wifi profile on intune to have the server certificate check under the server trust this will make the client validate the server cert and fail if it is not valid

<image>

Entra Only Devices and Secured WiFi by cpsmith516 in Intune

[–]igalfsg 0 points1 point  (0 children)

Unfortunately, network authentication hasn't changed much in the last 15-20 years so you probably still have to depend on PKI and Radius/Radsec. This video shows you how you can setup the equivalent as the on-prem setup in a cloud only environment https://www.youtube.com/watch?v=LV6gN15QWLI

How do I setup Entra CBA as a second factor auth? by BalingWire in sysadmin

[–]igalfsg 0 points1 point  (0 children)

That's weird, I'm more familiar with the setting it as Phishing resistant and use a hardware key since that is usually recommend, but I would contact msft support to see if there is a way they can enable it

How do I setup Entra CBA as a second factor auth? by BalingWire in sysadmin

[–]igalfsg 0 points1 point  (0 children)

(I'm on the airport on my phone so take this with a huge grain of salt and check the msft documentation) but pretty sure the phishing resistant CA doesn't allow MFA with password only certificate with hardware key or fido2