This guide covers end-to-end configuration of certificate-based Wi-Fi authentication for Android Enterprise fully managed devices using Cloudi-Fi PKI as the certificate authority. Intune deploys a SCEP certificate issued by Cloudi-Fi PKI to each device. That certificate is then used as the client credential for EAP-TLS authentication against the Cloudi-Fi Cloud RADIUS server.
1. Overview & architecture
Profile dependency chain
| Profile | Type | Must succeed before | |
|---|---|---|---|
| 1 | SCEP CA trusted root | Trusted certificate | SCEP profile |
| 2 | RADIUS server CA root | Trusted certificate | Wi-Fi profile |
| 3 | SCEP certificate profile | SCEP certificate | Wi-Fi profile |
| 4 | Wi-Fi profile | Wi-Fi (Enterprise) | — |
2. Prerequisites
- Cloudi-Fi account with PKI / Cloud NAC enabled
- Microsoft Intune with Android Enterprise enrollment configured
- Complete the Microsoft Intune MDM to issue SCEP certificates from the Cloudi-Fi PKI integration guide
- RADIUS server certificate
- Devices enrolled as Android Enterprise fully managed (Device Owner)
- Target Intune device group (e.g.CFI_LAB) created and devices assigned
3. 4. Trusted certificate profile — Cloudi-Fi PKI CA root
This profile installs the Cloudi-Fi PKI root CA certificate on the device so it can validate the SCEP-issued client certificate chain. It must be deployed and succeed before the SCEP certificate profile is applied.
Export the CA certificate from Cloudi-Fi
Download the CA root certificate from the Cloudi-Fi dashboard under NAC Providers > Cloudi-Fi as PKI > 3 dots > Download
Convert to .cer if needed:
Create the profile in Intune
Navigate to Devices → Configuration → Create profile. Select platform Android Enterprise and profile type Templates → Trusted certificate (under Fully Managed, Dedicated, and Corporate-Owned Work Profile).
Basics tab — name the profile (e.g.FMDCOWP - Cloudi-Fi SCEP Certificate)
Configuration settings — upload the Cloudi-Fi PKI root CA.cerfile
Assignments — add the target device group (e.g.CFI_LAB)
Trusted certificate profile — RADIUS server CA
Android 13+ requires a root CA certificate for RADIUS server validation to be explicitly deployed via MDM. This is a separate profile from the PKI CA root above.
Identify the correct certificate to upload
Create the profile in Intune
The Radius server root CA file will be provided by Support team.
Follow the same steps as section 4 (Trusted certificate, Android Enterprise, Fully Managed). Name it distinctly, e.g. FMDCOWP - Cloudi-Fi RADIUS Certificate. Upload the RADIUS server root CA file. Assign to the same device group.
| Field | Value |
|---|---|
| Profile name | FMDCOWP - Cloudi-Fi RADIUS Certificate |
| Platform | Android Enterprise |
| Profile type | Trusted certificate (Fully Managed) |
| Certificate file | Root CA that signed the RADIUS server cert |
| Assignment | Target device group (e.g. CFI_LAB) |
6. SCEP certificate profile
Navigate to Devices → Configuration → Create profile → Android Enterprise → Fully Managed → Templates → SCEP certificate.
Basics tab — name the profile (e.g.FMDCOWP - Cloudi-Fi SCEP Profile)
Configuration settings — Configure with
| Field | Value | Notes |
|---|---|---|
| Certificate type | User | Binds the certificate to the authenticated Entra user — required for per-user RADIUS policy |
| Subject name format | CN={{UserName}},C=FR,O=CFI-Product,OU=CFI,ST=Paris,L=Paris | Must match the CA subject exactly — see DN breakdown below |
| Subject alternative name | UPN = {{UserPrincipalName}} (optional) | Add if RADIUS policy requires UPN in SAN for user lookup |
| Certificate validity period | 1 Year | |
| Key usage | Key encipherment + Digital signature | |
| Key size | 2048 | |
| Hash algorithm | SHA-2 | |
| Root certificate | Select PKI CA trusted root profile (section 4) | References the Cloudi-Fi PKI CA trusted root profile — not a file |
| Extended key usage | Client Authentication (1.3.6.1.5.5.7.3.2) | |
| Renewal threshold | 20% | |
| SCEP server URLs | Full Cloudi-Fi SCEP endpoint URL | Must include the trailing path token |
Subject DN breakdown
Each attribute in the subject name corresponds to the CA subject configuration. The CN is the only dynamic field — all others are static and must exactly match the CA's subject.
| Attribute | Value | Source |
|---|---|---|
| CN | {{UserName}} → resolves to Entra display name (e.g. Product1) | Dynamic — Intune variable |
| C | FR | Matches CA subject: Country = FR |
| O | CFI-Product | Matches CA subject: Organization = CFI-Product |
| OU | CFI | Matches CA subject: OrganizationalUnit = CFI |
| ST | Paris | Matches CA subject: State = Paris |
| L | Paris | Matches CA subject: Locality = Paris |
Full subject name format string
7. Wi-Fi profile (EAP-TLS)
Navigate to Devices → Configuration → Create profile → Android Enterprise → Fully Managed → Templates → Wi-Fi.
Basics tab — name the profile (e.g. FMDCOWP - Cloudi-Fi WIFI Profile)
Configuration settings — Configure with
| Field | Value |
|---|---|
| Wi-Fi type | Enterprise |
| SSID | Your 802.1X SSID name |
| Connect automatically | Enable |
| EAP type | EAP-TLS |
| RADIUS server name | cloudi-fi.net |
| Root certificate for server validation | Select profile from section 5 |
| Authentication method | Certificates |
| Client certificate | Select SCEP profile from section 6 |
| Identity privacy | anonymous (optional) |
8. Validation & verification checklist
Run through this in order after completing all profile configuration. Each item must pass before checking the next.
- Cloudi-Fi PKI CA status is Active in the Cloudi-Fi dashboard
- Entra app scep_challenge_provider and Application.Read.All permissions show Granted
- SCEP Server URL in Intune matches connector Endpoint exactly
- PKI CA trusted root profile shows Succeeded on target device
- RADIUS CA trusted root profile shows Succeeded on target device
- SCEP certificate profile shows Succeeded before checking Wi-Fi status
- Wi-Fi profile shows Succeeded and device connects to 802.1X SSID