Lazy loaded image
Technologies
Enable network authentication with Azure AD only joined devices & Intune
00 min
Jul 25, 2023
Jul 26, 2023
type
status
date
slug
summary
tags
category
icon
password
URL

Introduction

This post is a brief summary of establishing network connection (wired or wireless network) on Intune managed devices, from my experience.

Challenges

  • Azure AD only joined devices are not present in Active Directory and therefore certificates can not be issued by the PKI, resulting that clients can not authenticate with a certificate.
  • Your network is one layer of your security perimeter and should be protected.
  • Additionally, the configuration must be accomplished with Intune.

Solutions for network authentication

  • Open (no authentication)
  • Pre-shared key (password)
  • Certificate authentication <- this posts focus
  • User authentication with username + password
User authentication by providing credentials with SSO will not work if you have Credential Guard activated. It is recommended to move from MSCHAPv2-based connections to certificate-based authentication.
Background: Kerberos unconstrained delegation cloud allow attackers to extract Kerberos keys from the isolated LSA process. NTLMv1 classic authentication is attackable. Learn more from the Microsoft docs
My recommendation is to achieve authentication to your corporate network through certificates, because it is the most secure way. Even though you need some technical prerequisites in place:
  • Certificate deployment to clients - PKCS or NDES Intune
notion image
notion image
  • Network profile configuration deployed from Intune
  • Trusted Root certificate deployed to your clients (from the CA and authentication service server certificate)
  • Configuration from your network devices / RADIUS setup
Another challenge is the configuration from the network side. Your clients typically talk EAP (TLS) with the end network device which could be an access point or switch and these then forward the request to a central component, that can handle RadSec or RADIUS protocols in order to validate the authentication request.
There are multiple validation techniques available, depending on the product and vendor. But to verify the request, the network component can do one or more of these checks:
  • Verify the client certificate if it was issued by a trusted certification authority
  • Check the Subject (Alternative) Name -> here it is important to configure these right in the Intune profile (correct attribute such as DNS)
  • Confirm if an Azure AD device object exists (requires integration, usually Enterprise Application to view devices)
  • Check the compliance state of the device (also requires an integration to Azure AD)
notion image
You need the following profile types:
  • Trusted Root and Intermediate certificates (trust chain must be complete)
  • PKCS or SCEP for certificate deployment
  • Wi-Fi or wired network
See some samples:
notion image
notion image
notion image
上一篇
Synology: Best NAS For Docker – Marius Hosting
下一篇
【好玩儿的 Docker 项目】80、90 回忆杀,10 分钟搭建复古中文 DOS 游戏,最多畅玩 1898 款!