In only a few minutes you can setup HPE Aruba Networking Central NAC to allow anyone with an OpenRoaming profile to connect to your Wi-Fi network.
Central NAC will perform the Access Network Provider (ANP) role in the OpenRoaming ecosystem, functioning as a RadSec proxy for authentication to the user’s home Identity Provider (IDP).
This will be a short post because it literally took me five mins to setup and test this after hearing it is now possible.
When in Roam
I already had the Purple OpenRoaming profile installed on my phone, but any OpenRoaming profile will do.
If you’re an iOS user you can download the OpenRoaming App from the app store, or for Android you can connect with a native Google account profile straight from your device.
1. Create a WLAN Profile, the SSID can be called anything you like (literally that, if you want).
Pick WPA3-Enterprise (because friends don’t let friends configure WPA2-Enterprise), select Central NAC and check Air Pass.
2. Like the small ‘i’ says, head over to Air Pass in Central NAC and create an AirPass Profile.
Select the built-in OpenRoaming (All) provider, select your Network and Site from the drop-down menu, enter your domain name, select site type and click Create.
You can also create a custom Air Pass Provider with
You can also create a new Air Pass Provider with a custom RCOI and Realm list if you’d prefer.
3. And you’re done. I’ll have my beer back now thanks.
This deployment guide describes how to configure HPE Aruba Networking Central NAC with Microsoft Entra ID and Intune to:
Authenticate Windows 11 users and devices using EAP-TLS
Assign access roles based on Entra ID group membership
Enforce Intune compliance
Perform client certificate enrolment against Central NAC PKI
Deploy all required client configuration using Intune
It is possible to configure all of the above using the core feature set of Central NAC which does not require any additional licensing beyond Foundation AP licenses.
The following components must be configured:
Microsoft Entra ID
App Registration
Central AP Config
Roles
WLAN Profile
Central NAC
Identity Store
Intune Extension
Authentication Profile
Authorization Policy
Microsoft Intune Configuration Profiles
Trusted certificate profile
SCEP certificate profile – Device
SCEP certificate profile – User
Wi-Fi profile
It is assumed that an existing Microsoft Entra ID tenant with Intune licensing is available with a Windows 11 device already enrolled.
A special thanks to Nicolas CULETTO for creating the Technote that helped with the UEM component.
Microsoft Entra ID – App Registration
1. Navigate to Entra ID > App Registrations and click New registration
Parameter
Value
Name
Central NAC
Supported account types
Accounts in this organisational directory only
2. Record Application (client) ID
3. Record Directory (tenant) ID
4. Navigate to Manage > API permissions
5. Grant API Permissions:
Intune – Application permissions
scep_challenge_provider
Microsoft Graph – Application permissions
Application.Read.All
DeviceManagementManagedDevices.Read.All
Directory.Read.All
Group.Read.All
User.Read.All
6. Grant admin consent for App Registration
7. Navigate to Certificates & secrets > Client secret > New client secret
BEFORE LEAVING SCREEN: Record client Secret Id and Value
Central AP Config – Roles and Policies
IMPORTANT: Roles and WLANs must be created at the Library level to be visible by Central NAC.
1. Create two roles in the Configuration Library, and assign the Device Function and Scope as follows:
2. Create a role-based policy in the Configuration Library, create rules for the newly created roles above and assign the Device Function and Scope as follows:
Central AP Config – WLAN Profile
1. Create a WLAN profile in the Configuration Library with the following configuration, and assign the Device Function and Scope as follows:
Parameter
Value
Name
<WLAN Profile Name>
ESSID Name
EAP-TLS
Security Level
Enterprise
Key Management
WPA3-Enterprise(CCM-128)
Server Group
Central NAC
Organization Name
<Your Organization Name>
Client Isolation
Enabled
Enforce DHCP
Enabled
802.11r
Enabled
Central NAC – Identity Store
1. Navigate to Central NAC > Configuration > Identity Management and click Create Identity Store
2. Add the following configuration and click Create
Parameter
Value
Name
<Identity Store Name>
Provider
Microsoft Entra ID
Tenant ID
<Tenant ID from App Registration>
Client ID
<Client ID from App Registration>
Client Secret
<Client Secret Value from App Registration>
3. Copy and record the Redirect URI
4. Under the Entra ID App Registration, navigate to Manage > Authentication and click Add Redirect URI
5. Select Web platform, paste the Redirect URI from the Identity Store and click Configure
Central NAC – Intune Extension
1. Navigate to Extensions > Available Extensions and click Install next to Microsoft Intune
2. Add the following configuration and click Create
NOTE: Replace <TenantID> in the Token Server URL with your Entra ID Tenant ID.
Central NAC – Authentication Profile
1. Navigate to Central NAC > Configuration > Authentication Profiles and click Create Profile
2. Add the following configuration
Parameter
Value
Name
<Authentication Profile Name>
Authentication Type
EAP-TLS
Network
<Your WLAN Name>
Use for wired connection
Enabled
Identity Store
<Your Identity Store>
Organization Name
<Your Organization Name>
3. Click the + icon next to UEM Onboarding
4. Configure a name and select Microsoft Intune and the name of your Intune Extension from the drop-down menu
5. Click Create
6. Edit the newly created profile, scroll down to UEM Onboarding and click the profile name
7. Copy and record the SCEP URL and click Download Certificate
These will be used when creating the Intune Configuration Profiles.
Central NAC – Authorization Policy
1. Navigate to Central NAC > Configuration > Authorization Policy and click **Create Policy
2. Add the following configuration and click Create
Parameter
Value
Name
<Authorization Policy Name>
Policy Type
Custom*
Identity Store
<Identity Store Name>
Pre-conditions
Authentication Type is equal to EAP-TLS
*NOTE: You can use a Policy Type of User if you don’t have a Premium Central NAC license.
3. Click the ellipses next to the newly created policy and click Add Rule
4. Create a rule with the following configuration
Parameter
Value
Name
User + Intune Compliant
Conditions
User Group(<Identity Store Name>) containsUser Group Name
And
Client Tags contains any Intune: Compliant
Identity Store
<Identity Store Name>
Actions
Allow Access
Role
USER
5. Create another rule with the following configuration
Parameter
Value
Name
Intune Compliant
Conditions
Client Tags contains any Intune: Compliant
Identity Store
<Identity Store Name>
Actions
Allow Access
Role
MACHINE-ONLY
6. Review the configuration
The first rule will allow user authentication, requiring:
Certificate issued by Central NAC CA
Member of specific user group
Connecting from a compliant Intune managed device
The second rule will allow machine authentication, requiring:
Certificate issued by Central NAC CA
Connecting from a compliant Intune managed device
This will allow role-based VLAN access for users in different groups, and more restricted access for a Windows 11 device before a user logs in.
Microsoft Intune – Trusted certificate profile
Navigate to Microsoft Intune admin center> Home > Devices | Configuration profiles and Create a New Policy as follows:
Parameter
Value
Platform
Windows 10 and later
Profile type
Templates
Template name
Trusted certificate
Name
Windows Central NAC CA
Configuration Settings
Parameter
Value
Certificate file
<Certificate downloaded from UEM Onboarding Config>
Destination store
Computer certificate store – Root
Assignments
Groups
<Intune Device Group>
<Intune User Group>
Microsoft Intune – SCEP certificate profile – Device
Navigate to Microsoft Intune admin center> Home > Devices | Configuration profiles and Create a New Policy as follows:
Parameter
Value
Platform
Windows 10 and later
Profile type
Templates
Template name
SCEP certificate
Name
Windows SCEP Device Certificate
Configuration Settings
Parameter
Value
Certificate type
Device
Subject name format
CN={{DeviceName}}}
Subject alternative name
URI cnac+intune:///?DeviceId={{DeviceId}}
Key storage provider (KSP)
Enroll to Trusted Platform Module (TPM) KSP, otherwise Software KSP
Key usage
Digital signature, Key encipherment
Key size (bits)
2048
Hash algorithm
SHA-2
Root Certificate
<Trusted CA Certificate Profile>
Extended key usage
Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values
SCEP Server URLs
<SCEP URL from UEM Onboarding Config>
Assignments
Groups
<Intune Device Group>
Microsoft Intune – SCEP certificate profile – User
Navigate to Microsoft Intune admin center> Home > Devices | Configuration profiles and Create a New Policy as follows:
Parameter
Value
Platform
Windows 10 and later
Profile type
Templates
Template name
SCEP certificate
Name
Windows SCEP User Certificate
Configuration Settings
Parameter
Value
Certificate type
User
Subject name format
CN={{UserPrincipalName}}}
Subject alternative name
URI cnac+intune:///?DeviceId={{DeviceId}}
Key storage provider (KSP)
Enroll to Trusted Platform Module (TPM) KSP, otherwise Software KSP
Key usage
Digital signature, Key encipherment
Key size (bits)
2048
Hash algorithm
SHA-2
Root Certificate
<Trusted CA Certificate Profile>
Extended key usage
Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values
SCEP Server URLs
<SCEP URL from UEM Onboarding Config>
Assignments
Groups
<Intune User Group>
Microsoft Intune – Wi-Fi profile
Navigate to Microsoft Intune admin center> Home > Devices | Configuration profiles and Create a New Policy as follows:
Parameter
Value
Platform
Windows 10 and later
Profile type
Templates
Template name
Wi-Fi
Name
Windows Central NAC Wi-Fi
Configuration Settings
Parameter
Value
Wi-Fi type
Wi-Fi name (SSID)
<SSID name>
Connection name
<Connection name>
Connect automatically when in range
Yes
Authentication Mode
User or machine
EAP type
EAP-TLS
Certificate server names
<SSID name>
Root certificates for server validation
<Trusted CA Certificate Profile>
Authentication method
SCEP certificate
Client certificate for client authentication (Identity certificate)
<SCEP Device Certificate Profile>
Assignments
Groups
<Intune Device Group>
Deployed Windows 11 Configuration
Although Windows is configured with WPA2-Enterprise, it will happily connect to a WPA3-Enterprise network.
The only differences between WPA2 and WPA3 Enterprise(CCM-128) are the use of a SHA-256 AKM (instead of SHA-1) and requiring Management Frame Protection (which can be used in a WPA2-Enterprise network anyway.
See below showing the 802.1X (SHA-256) (AKM 5) and FT-802.1X (AKM 3) for 802.11r capable clients.
Refer to the WPA3-Enterprise TechDoc for more information:
CrispyFi Blog 