Skip to main content
All CollectionsDevice ManagementPolicy management
Configuring a Policy for RADIUS Wi-Fi on Windows
Configuring a Policy for RADIUS Wi-Fi on Windows
Updated today

This article explains how to create and apply a Windows RADIUS Policy that instructs enrolled Windows devices to use secure Wi-Fi (WPA2/WPA3 Enterprise) via RADIUS authentication. By pushing this policy, you ensure all enrolled Windows endpoints automatically connect with the correct SSID, EAP settings, root certificates, and SCEP-issued certificates (if applicable).

Prerequisites

  1. RADIUS Server: Make sure your RADIUS server (e.g., Windows NPS or third-party) is properly configured for WPA2/WPA3 Enterprise.

  2. Certificates:

    • If using server validation, the RADIUS server must have a valid SSL certificate from a trusted CA.

    • If using device certificates (EAP-TLS), ensure you have either a root or intermediate CA certificate to push to clients and a mechanism for issuing client certs (SCEP).

  3. Swif Admin Access: You need permission to create policies and configure SCEP or certificate distribution in the Swif console.

1. Create a New Windows RADIUS Policy

  1. Navigate to Policies

    • In your Swif console, go to PoliciesCreate Policy.

  2. Enable RADIUS Wi-Fi

    • Select Windows RADIUS Policy in the policy type

  3. Name the Policy

    • Policy Name: For consistency, name it something like:

      Windows RADIUS Policy

2. Important Wi-Fi Fields to Configure

When creating your Windows RADIUS Policy, you will see a set of Wi-Fi parameters after selecting "Configure Wifi" and adding a "Wifi Profile".

Below are the critical fields to define:

2.1 SSID Name

  • SSID: Enter the exact Wi-Fi network name (e.g., CorpSecureWiFi).

  • If the network is hidden, set Hidden SSID to “true” or equivalent, so Windows knows to search for it.

2.2 Authentication and Encryption Settings

Under Wi-Fi Policy → MSM → Security → authEncryption:

  • Authentication: Usually WPA2 or WPA3.

  • Use One X: Set to “true” (enables 802.1X/EAP).

Under Wi-Fi Policy → MSM → Security → Shared Key:

  • Key Type: May be used if you have a fallback or a separate pre-shared key scenario (commonly set to “networkKey” or “passPhrase” if you have a fallback WPA2-PSK network; often not used for RADIUS-based networks).

2.3 PMK Cache & Pre-Auth Settings

Under Wi-Fi Policy → MSM → Security:

  • PMKCacheMode

  • PMKCacheTTL

  • PMKCacheSize

  • PreAuthMode

These fields control how Windows devices cache Pairwise Master Keys (PMK) and whether they pre-authenticate to APs. Common defaults are:

  • PMKCacheMode: Enabled

  • PMKCacheTTL: 720 minutes (12 hours)

  • PMKCacheSize: 32

  • PreAuthMode: Typically “disabled” unless you want pre-auth for roaming scenarios.

2.4 802.1X (OneX) Fields

Under Wi-Fi Policy → MSM → Security → OneX:

  • Auth Mode: Determines if authentication is per-user, per-machine, or “user or computer.” Typical setting for domain-joined devices is machineOrUser.

2.4.1 EAP Configuration

Under Wi-Fi Policy → MSM → Security → OneX → EAP Config → EAP Host Config:

  1. EAP Method → Type: The overarching EAP method, such as 13 for EAP-TLS or 25 for PEAP, depending on the schema used. Enter Vendor ID, Vendor Type, and Auth ID if you have values.

  2. Config → EAP → Type: The overarching EAP method, such as 13 for EAP-TLS or 25 for PEAP, depending on the schema used.

  3. Config → EAP → EAP Type → Credentials Source → Certificate Store → Simple Cert Selection: Enabling Simple Cert Selection streamlines the EAP-TLS flow: Windows quietly handles the certificate decision behind the scenes, improving user experience and minimizing misconfiguration.

  4. Config → EAP → EAP Type → Server Validation → Disable User Prompt For Server Validation: If set to “true,” Windows won’t prompt end-users to confirm the RADIUS server’s certificate. This is recommended in managed environments.

  5. Config → EAP → EAP Type → Different Username: Controls whether you can specify a separate username for authentication (often left “false”).

  6. Config → EAP → EAP Type → Perform Server Validation: Usually set to “true” to ensure clients validate the RADIUS server certificate.

3. Configure the Root Certificate

If you want Windows endpoints to trust your RADIUS server certificate (and you’re using an internal CA or a CA not universally trusted), you must push a root certificate policy:

  1. Configure Security Root Certificate

    • Check the box or enable the toggle to add a root or intermediate CA certificate.

  2. Certificate Root Policy → Encoded Certificate

    • Paste in the base64-encoded certificate content. This ensures Windows devices trust the RADIUS server’s cert chain.

4. Set Up SCEP (If Using Client Certificates)

If your RADIUS configuration requires client/device certificates (EAP-TLS):

  1. Choose SCEP Service Provider

    • In your RADIUS Wi-Fi policy, you’ll see an option like SCEP Service Provider.

    • If you select a dedicated SCEP provider (e.g., SCEPMan) from the dropdown, you do not need to manually configure SCEP fields in a separate “Configure SCEP” section.

    • For instructions on using SCEPMan specifically, see How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPMan.

  2. (Alternate) “Configure SCEP” Section

    • If you don’t see or don’t select a dedicated SCEP service provider, you can still use the Configure SCEP fields to manually provide CA URL, Challenge, Key Usage, etc.

    • Each Windows device will automatically request a client certificate for EAP-TLS upon policy application.

    • Parameters: Not all fields are mandatory; it depends on your SCEP server configuration and security requirements.

      • SCEP Name

        • A label to identify this SCEP configuration/policy.

        • Example: SCEP or CorpSCEPPolicy.

      • Retry Count

        • The maximum number of times the device will retry certificate enrollment if the SCEP server returns a “pending” status.

        • Example: If set to 3, the device attempts enrollment up to three additional times before failing.

      • Retry Delay

        • When the SCEP server issues a “pending” response, this value (in minutes) controls how long the device waits before retrying.

        • Example: 5 means the device waits 5 minutes between retries.

      • Key Usage

        • A decimal value representing the bit flags for certificate usage (e.g., 0x80, 0x20, or 0xA0 in hex).

        • Common bits include 0x20 (Key Encipherment) and 0x80 (Digital Signature).

        • If the value doesn’t include the necessary bits for your scenario, certificate issuance may fail.

        • Example: 128 decimal (which is 0x80 hex) corresponds to Digital Signature usage.

      • Key Length

        • The private key length (RSA).

        • Typical options: RSA - 2048, RSA - 4096, etc.

        • Higher key lengths can provide stronger security but may require more processing power.

      • Hash Algorithm

        • Specifies the hashing algorithm(s) used when generating or signing the certificate.

        • Possible values include SHA-1, SHA-2, or SHA-3. If multiple algorithms are allowed, they might be listed with a plus sign (e.g., SHA-1+SHA-2).

      • Subject Name

        • Defines the subject (distinguished name) in the certificate request.

        • For example, CN=DeviceCert or CN={DeviceName},O=YourOrg.

      • Subject Alternative Name

        • Specifies additional names or identifiers for the certificate. Multiple SANs can be separated by semicolons.

        • Each entry is a combination of a name format and the actual name (e.g., [email=]user@example.com;[dns=]device.local).

        • Refer to Microsoft documentation for the name format syntax (like email=, dns=, upn=).

      • Valid Period

        • The time unit for the certificate’s validity.

        • Acceptable values typically include Days (default), Months, or Years.

      • Valid Period Units

        • The numeric duration for the chosen valid period.

        • Example: If Valid Period = Years and Valid Period Units = 1, the certificate will be valid for 1 year (assuming the SCEP server permits that duration).

      • EKU Mapping (Extended Key Usage)

        • Specifies the extended key usage OIDs the certificate should contain.

        • List OIDs separated by a plus sign, e.g. 1.3.6.1.5.5.7.3.2+1.3.6.1.5.5.7.3.1.

        • Common EKU OIDs include 1.3.6.1.5.5.7.3.2 for client authentication, 1.3.6.1.5.5.7.3.1 for server authentication, etc.

      • Key Protection

        • Defines where/how the private key is protected.

        • For example, “Private key saved in software KSP” indicates it’s stored in a software-based Key Storage Provider.

        • On some systems, you can choose TPM-based key protection for higher security, but you may still need a PIN configuration.

      • Server URL

        • The URL(s) of the SCEP enrollment server.

        • You can often separate multiple URLs with a semicolon if you have redundant SCEP endpoints.

      • Challenge

        • A one-time password or “challenge” token required by some SCEP servers to authorize enrollment.

        • If your SCEP server is configured with a static challenge, enter it here.

      • CA Thumbprint

        • A 20-byte SHA1 hash of the root CA certificate, represented as a 40-character hexadecimal string.

        • When the device authenticates the SCEP server, it checks this thumbprint. If there’s no match, the enrollment fails.

Once configured, each Windows device will automatically request a client certificate via SCEP, then use that cert for RADIUS EAP-TLS.

5. Save and Deploy the Policy

  1. Review Your Settings

    • Double-check the SSID, authentication modes, EAP types, and any certificate info.

  2. Save

    • Click Create or Save to finalize.

  3. Assign to Devices

    • Assign the Windows RADIUS Policy to your desired groups or devices.

    • Devices typically sync the next time they check in or run a policy update.

6. Verify the Connection

  1. Check on a Test Device

    • After policy deployment, confirm the test Windows device automatically associates with the correct SSID.

  2. Monitor RADIUS Logs

    • On the RADIUS server, verify successful EAP handshakes.

  3. Validate Certificate Presence

    • If using SCEP, open certmgr.msc (for user certs) or the Local Machine store (for device certs) to see the newly issued certificate.

Troubleshooting

  • Device Won’t Connect

    • Ensure correct SSID and security type (WPA2-Enterprise or WPA3-Enterprise) are configured.

    • Verify the RADIUS server’s shared secret and the AP’s RADIUS settings match.

  • Certificate Errors

    • Check that the root or intermediate CA is installed on clients if you’ve enabled server validation.

    • If using SCEP for client certs, confirm the SCEP server is reachable, and the challenge is correct.

  • Authentication Prompt

    • If you set Perform Server Validation = “false,” Windows may prompt users to accept a certificate. Switch it to “true” (and disable user prompt) for a silent, managed experience.

Conclusion

By configuring these fields in a Windows RADIUS Policy, you can seamlessly push WPA2/WPA3-Enterprise Wi-Fi settings to enrolled Windows devices, manage certificate trust via root cert distribution, and optionally use SCEP for client certificates (EAP-TLS). This ensures a secure, automatic connection to your RADIUS-managed Wi-Fi network with minimal user intervention.

If you need assistance or encounter any issues, reach out to Swif.ai Support or your internal IT team. Once set up, your Windows endpoints will enjoy a streamlined, enterprise-grade wireless experience backed by the robust authentication of RADIUS.

Related Articles
[User-Guide] Windows Wifi Policy
Windows Application Blocking Policy
How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPman as the SCEP Certificate Provider
Configuring a RADIUS Policy for macOS (with SCEP)
Configuring a Policy for Windows VPN with RADIUS + SCEP
Did this answer your question?