Login

u/Luconik

▲ 43 r/ArubaNetworks

EAP-TLS certificate Wi-Fi with Intune + Aruba Central NAC — Windows, macOS and iOS/iPadOS step-by-step with screenshots

**EAP-TLS certificate-based Wi-Fi with Microsoft Intune + Aruba Central NAC — Windows, macOS and iOS/iPadOS**

I couldn't find much documentation covering all three platforms together, so I put together a full lab write-up with step-by-step screenshots.

**The setup:**

- Aruba Central NAC as the RADIUS/NAC engine (OAuth2-connected to Intune/Entra ID)

- SCEP certificates issued directly by Central NAC's built-in CA (no NDES/connector needed)

- Intune pushing 3 profiles per platform: Trusted Certificate + SCEP + Wi-Fi

- Automatic EAP-TLS connection to WPA2-Enterprise SSID once profiles are deployed

**Per-platform specifics:**

*Windows* — straightforward, same flow as the HPE TechNote. Validate with certmgr.msc.

*macOS* — requires APNs certificate first (one-time setup). SCEP profile uses Device Channel. Validate in Keychain Access (System + login keychains).

*iOS/iPadOS* — enrollment via Company Portal is very guided. **Important:** use Certificate type **User** with `CN={{UserPrincipalName}}` in the SCEP profile. Device type causes NAC authorization to fail (Deny All) because Central NAC can't resolve the device cert to an Entra ID user or group.

**Docs split into two GitHub repos:**

- Aruba Central NAC config (identity store, roles, policies, SSID): https://github.com/Luconik/hpe-aruba-guides/tree/main/central-nac-intune

- Intune profiles + enrollment per platform: https://github.com/Luconik/microsoft-intune/tree/main/eap-tls

Each README has EN + FR versions and full screenshots for every step.

reddit.com
u/Luconik — 5 days ago
▲ 19 r/ArubaNetworks

EAP-TLS with Aruba Central NAC + Microsoft Intune — full lab docs for Windows, macOS and iOS/iPadOS

**EAP-TLS with Aruba Central NAC + Microsoft Intune — Windows, macOS and iOS/iPadOS lab documentation**

I've been working on getting certificate-based Wi-Fi authentication (EAP-TLS) working across all three major Intune-managed platforms using Aruba Central NAC as the RADIUS/NAC engine.

The setup uses:

- Aruba Central NAC with Microsoft Intune as the UEM (OAuth2 identity store)

- SCEP certificates issued directly by Central NAC CA

- Intune pushing Trusted Certificate + SCEP + Wi-Fi profiles to each platform

- EAP-TLS authentication validated by Central NAC against Entra ID group membership

**What's covered in the docs:**

- Entra ID App Registration + API permissions

- Aruba Central Intune extension configuration

- NAC identity store, roles, authorization policies, SSID and auth profile setup

- SCEP URL + root CA retrieval

- Platform-specific Intune profiles and enrollment for Windows, macOS and iOS/iPadOS

- End-to-end validation (certmgr, Keychain, Central NAC client detail)

**One gotcha for iOS:** the SCEP profile must use Certificate type **User** with `CN={{UserPrincipalName}}`. Using Device type causes Central NAC authorization to fail with Deny All — the NAC can't map a device cert to an Entra ID user/group.

Full step-by-step docs with screenshots on GitHub:

- Central NAC config: https://github.com/Luconik/hpe-aruba-guides/tree/main/central-nac-intune

- Intune profiles + enrollment: https://github.com/Luconik/microsoft-intune/tree/main/eap-tls

reddit.com
u/Luconik — 5 days ago