Skip to main content
All CollectionsDevice ManagementPolicy management
How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPman as the SCEP Certificate Provider
How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPman as the SCEP Certificate Provider
Updated this week

This guide explains how to configure a Swif.ai RADIUS Wi-Fi policy using SCEPman as your SCEP certificate provider, including detailed steps to set up your Azure environment.

Prerequisites

Step-by-Step Guide to set up Azure App to authenticate with your SCEPMan service.

Step 1: Set Up an Azure App Registration for SCEPman (if not already created)

If you've already created your Azure app for SCEPman, you can skip to Step 2.

Otherwise, follow these steps:

  1. Log in to Azure Portal.

  2. Navigate to App Registrations:

    • In the search bar, type App Registrations and click on it.

  3. Create a New App Registration:

    • Click New Registration.

      • Enter a meaningful name, e.g., SCEP-REST-API. We created SCEP-REST-API app for authentication with the Azure service to obtain a bearer token, which is used when authenticating with the SCEPman CSR REST API.

    • Under "Who can use this application or access this API", Select Accounts in this organizational directory only.

    • Leave the Redirect URI blank and click Register.

  4. Configure API Permissions:

    • In your newly created app, go to API permissions.

    • Click Add a permission.

    • Choose APIs my organization uses.

    • Search for SCEP-REST-API and select it.

    • Choose Application permissions and add required permissions (CSR.Request.Db).

    • Click Add permissions.

    • Click Grant admin consent for {{orgName}} for your tenant to confirm.

  5. Create Client Secret:

    • Still in the app, navigate to Certificates & secrets.

    • Click Add a secret.

    • Provide a description, e.g., SCEP-REST-API-Secret, and set an expiry (365 days recommended).

    • Click Add, and immediately copy and securely store the secret’s value, as it will only be shown once.

  6. Configure App Service Settings for SCEPMan

    1. Go to the Azure Portal and navigate to your Resource Group.

    2. Within the Resource Group, select the SCEPman-resource-group.

    3. Select the app-scepman-xxx resource (name may vary depending on your setup).

      • Note: Do not select resource ending in -cm (such as app-scepman-xxx-cm). The -cm suffix corresponds to the certificate master. Instead, select the resource without the -cm suffix, such as app-scepman-xxx. The name may vary depending on your setup.

    4. Once the correct app service is selected, follow the steps mentioned in Step 2 of the SCEPMan documentation. You need to set 3 environment variables:

      1. name: AppConfig:DbCSRValidation:Enabled
        value: true

      2. name: AppConfig:DbCSRValidation:AllowRenewals
        value: true

      3. name: AppConfig:DbCSRValidation:ReenrollmentAllowedCertificateTypes
        value: Static,DomainController,IntuneUser,IntuneDevice

    5. Next, click on configuration. Under Incoming client certificates → client certificate mode → set it to ‘Optional’

  7. Self Service Enrollment

    1. To double check that the Self-Service App Role is available for the SCEPman-api app, follow the setup instructions in the SCEPMan documentation: Self-Service Enrollment Setup. The newer version of SCEPman has already set up this automatically.

    2. For the certificate, by default, it is using a user certificate (using the email ID to issue the certificate).

  8. Configure SCEPMan Certificate Master

    1. Go to the Azure Portal and search for Enterprise Applications.

    2. Remove the filter for Application type == Enterprise Applications and search for SCEPman-CertMaster. Click on it.

    3. On the sidebar, select Manage > Users and Groups.

    4. Click on Add user/group.

    5. In the Users and groups section, select the appropriate users or groups (preferably admin users or groups).

    6. Under Select a role, click on Full Admin, then click Assign.

    Your Azure App Registration setup is now complete.

Step 2: Obtain Required SCEPman Keys from Azure

You now need to gather the keys from Azure:

1. Tenant ID

  • In Azure Portal, search for and open Microsoft Entra ID.

  • On the Overview page, copy your Tenant ID.

2. Client ID

  • Go to App Registrations > All Applications.

  • Select the Azure app you just created (e.g., SCEP-REST-API) at Step 1 > #3.

  • From the app Overview page, copy the Application (client) ID.

3. Client Secret

  • You should already have copied this during app setup at Step 1 > #5.
    (If lost, create another one in Certificates & secrets.)

4. SCEPMan API's App ID URI

  • Go to Azure Portal.

  • In the search bar, type App Registrations.

  • Click on All Applications.

  • Select SCEPman-api app. Note: SCEPman-api app is different from SCEP-REST-API app. ​SCEPman-api app is automatically created when you deploy the SCEPman Enterprise App Service in Azure (you don't have to create or manage it). It is used for database operations and other tasks related to the SCEPman Certificate Master service.

    We created SCEP-REST-API app solely for authentication with the Azure service to obtain a bearer token, which is used when authenticating with the SCEPman CSR REST API.

  • From the App Overview page, copy the Application ID URI.

5. SCEP App Service Default Domain

  • In Azure Portal, search for Resource Groups.

  • Select the relevant Resource Group SCEPman-resource-group for your SCEPman deployment at Step 1 > #6.

  • Locate your SCEPMan Resource (without -cm suffix, e.g., app-scepman-xxx).

  • Copy the Default Domain, such as app-scepman-xxx.azurewebsites.net.

Step 3: Configure the RADIUS Wi-Fi Policy in Swif.ai

Follow these steps in Swif.ai admin console:

  1. Create Policy

    1. Navigate to Device Management > Policies.

    2. Click Create new policy and select RADIUS Wi-Fi Configuration Policy for Windows.

    3. Give your policy a clear name and optional description.

  2. Wi-Fi Network Configuration

    1. Enter the SSID (case-sensitive).

    2. Enable Hidden Network if your SSID isn't broadcasted.

    3. Set Auto-switch as desired.

  3. Trust the RADIUS Server (Root CA Certificate)

    1. Paste the Root CA certificate provided by your RADIUS provider into Swif’s Root Certificates or Validate Server Certificates field.

  4. SCEP Configuration (SCEPman)

Under SCEP Service Provider, select SCEPman, and enter the Azure details you gathered:

Swif.ai Field

Azure Information

Tenant ID

Tenant ID

Client ID

Application (client) ID

Client Secret

Client secret value

SCEPMan API App ID

SCEPman API Application ID URI

SCEP App Service Default Domain

Default Domain (e.g., app-scepman-xxx.azurewebsites.net)

Review all fields carefully.

Step 4: Deploy the RADIUS Wi-Fi Policy to Devices

  1. Verify and Save the Policy

    1. Double-check your settings for accuracy.

    2. Save the policy.

  2. Assign Policy

    1. Assign to target device groups or individual devices.

    2. Ensure devices are online to receive the policy.

  3. Automatic Device Enrollment

Devices receiving the policy will:

  • Install the Wi-Fi profile.

  • Trust the RADIUS server’s Root CA.

  • Automatically obtain a client certificate from SCEPman.

  • Connect seamlessly to the configured Wi-Fi network.

Troubleshooting Common Issues

  • Verify policy deployment:

    • User certificate should be installed on the device (Windows search bar → type “manage user certificates” → Personal → Certificates → {{user certificate issued by SCEPman-Root-CA-V1}})

    • Root certificate should be installed on the device (windows search bar → type “manage user certificates” → Trusted Root Certificates Authorities → Certificates → SCEPman-Root-CA-V1). Note, root certificate may be different from SCEPman-Root-CA-V1. It depends on your setup.

    • Wifi profile should be visible in wifi settings (settings → Network & internet → Wi-Fi → Manage known networks)

  • Certificate Trust Errors:

    • Verify correct installation of the Root CA certificate on the devices.

  • SCEP Enrollment Failures:

    • Confirm the accuracy of all SCEPman details entered in Swif.ai.

    • Review Azure logs for permission or authentication errors.

  • Network Connection Issues:

    • Ensure SSID visibility and correctness in your policy settings.

    • Confirm devices can reach Azure and SCEPman services online.

Additional Considerations

  • Regularly verify Azure app permissions and client secret expiration dates.

  • Monitor Azure logs to proactively manage potential connection or authentication issues.

Congratulations! Your Swif.ai RADIUS Wi-Fi policy is now successfully integrated with SCEPman as your SCEP certificate provider. Windows devices in your environment will securely authenticate via certificate-based Wi-Fi authentication.

For additional help, contact Swif Support.

Related Articles
Configuring a Policy for RADIUS Wi-Fi on Windows
Did this answer your question?