This guide walks you through creating a policy that installs a VPN profile on Windows devices, authenticates via RADIUS, and leverages SCEP certificates. Once deployed, enrolled devices will automatically receive the policy and be able to establish a secure, certificate-based VPN connection.
1. Prerequisites
RADIUS Server Setup
You must have a functioning RADIUS server (e.g., NPS on Windows Server, or another RADIUS solution) that is configured to accept EAP certificate authentication from clients.
Ensure that the RADIUS server’s root and intermediate certificates (if any) are installed or known, so the clients can trust the server certificate.
SCEP Configuration
A working SCEP service (e.g., SCEPMan or another provider) must be accessible to enrolled devices.
You’ll need the SCEP server URL, any challenge/secret required, the CA thumbprint, key usage, hash algorithm, and any additional SCEP parameters.
Windows Devices
Supported: Windows 10 or newer (including Enterprise, Education, and IoT variants, depending on your environment’s requirements).
Devices should be enrolled in Swif.ai or your chosen management platform so they can receive policies.
XML-based VPN Profile
For now, Swif.ai requires a valid XML snippet that defines the Windows VPN configuration (e.g. an IKEv2 profile). A future release will offer field-by-field configuration.
If you aren’t familiar with Microsoft’s VPNProfile XML schema, see Microsoft’s VPNv2 Profile documentation for detailed XML references.
2. Creating the Windows RADIUS Policy
Go to Device Management → Policy
In your Swif.ai dashboard, select Policy and click Create New Policy.Enable Windows RADIUS Policy
Select Windows RADIUS Policy in the policy type
Name and Describe the Policy
Under Basic Configurations, enter a Policy Name, such as:
Windows VPN Policy (RADIUS + SCEP)
Add a brief Policy Description, e.g.
Deploys a Windows VPN profile using RADIUS for authentication, with certificates issued by SCEP.
Configure the Root Certificate
If you want Windows endpoints to trust your RADIUS server certificate (and you’re using an internal CA or a CA not universally trusted), you must push a root certificate policy:
Configure Security Root Certificate
Check the box or enable the toggle to add a root or intermediate CA certificate.
Certificate Root Policy → Encoded Certificate
Paste in the base64-encoded certificate content. This ensures Windows devices trust the RADIUS server’s cert chain.
Set Up SCEP (If Using Client Certificates)
If your RADIUS configuration requires client/device certificates (EAP-TLS):
Choose SCEP Service Provider
In your RADIUS Wi-Fi policy, you’ll see an option like SCEP Service Provider.
If you select a dedicated SCEP provider (e.g., SCEPMan) from the dropdown, you do not need to manually configure SCEP fields in a separate “Configure SCEP” section.
For instructions on using SCEPMan specifically, see How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPMan.
(Alternate) “Configure SCEP” Section
If you don’t see or don’t select a dedicated SCEP service provider, you can still use the Configure SCEP fields to manually provide CA URL, Challenge, Key Usage, etc.
Each Windows device will automatically request a client certificate for EAP-TLS upon policy application.
Parameters: Not all fields are mandatory; it depends on your SCEP server configuration and security requirements.
SCEP Name
A label to identify this SCEP configuration/policy.
Example:
SCEPorCorpSCEPPolicy.
Retry Count
The maximum number of times the device will retry certificate enrollment if the SCEP server returns a “pending” status.
Example: If set to 3, the device attempts enrollment up to three additional times before failing.
Retry Delay
When the SCEP server issues a “pending” response, this value (in minutes) controls how long the device waits before retrying.
Example: 5 means the device waits 5 minutes between retries.
Key Usage
A decimal value representing the bit flags for certificate usage (e.g.,
0x80,0x20, or0xA0in hex).Common bits include 0x20 (Key Encipherment) and 0x80 (Digital Signature).
If the value doesn’t include the necessary bits for your scenario, certificate issuance may fail.
Example: 128 decimal (which is
0x80hex) corresponds to Digital Signature usage.
Key Length
The private key length (RSA).
Typical options: RSA - 2048, RSA - 4096, etc.
Higher key lengths can provide stronger security but may require more processing power.
Hash Algorithm
Specifies the hashing algorithm(s) used when generating or signing the certificate.
Possible values include SHA-1, SHA-2, or SHA-3. If multiple algorithms are allowed, they might be listed with a plus sign (e.g.,
SHA-1+SHA-2).
Subject Name
Defines the subject (distinguished name) in the certificate request.
For example,
CN=DeviceCertorCN={DeviceName},O=YourOrg.
Subject Alternative Name
Specifies additional names or identifiers for the certificate. Multiple SANs can be separated by semicolons.
Each entry is a combination of a name format and the actual name (e.g.,
[email=]user@example.com;[dns=]device.local).Refer to Microsoft documentation for the name format syntax (like
email=,dns=,upn=).
Valid Period
The time unit for the certificate’s validity.
Acceptable values typically include Days (default), Months, or Years.
Valid Period Units
The numeric duration for the chosen valid period.
Example: If Valid Period = Years and Valid Period Units = 1, the certificate will be valid for 1 year (assuming the SCEP server permits that duration).
EKU Mapping (Extended Key Usage)
Specifies the extended key usage OIDs the certificate should contain.
List OIDs separated by a plus sign, e.g. 1.3.6.1.5.5.7.3.2+1.3.6.1.5.5.7.3.1.
Common EKU OIDs include 1.3.6.1.5.5.7.3.2 for client authentication, 1.3.6.1.5.5.7.3.1 for server authentication, etc.
Key Protection
Defines where/how the private key is protected.
For example, “Private key saved in software KSP” indicates it’s stored in a software-based Key Storage Provider.
On some systems, you can choose TPM-based key protection for higher security, but you may still need a PIN configuration.
Server URL
The URL(s) of the SCEP enrollment server.
You can often separate multiple URLs with a semicolon if you have redundant SCEP endpoints.
Challenge
A one-time password or “challenge” token required by some SCEP servers to authorize enrollment.
If your SCEP server is configured with a static challenge, enter it here.
CA Thumbprint
A 20-byte SHA1 hash of the root CA certificate, represented as a 40-character hexadecimal string.
When the device authenticates the SCEP server, it checks this thumbprint. If there’s no match, the enrollment fails.
Once configured, each Windows device will automatically request a client certificate via SCEP, then use that cert for RADIUS EAP-TLS.
Configure VPN
Check Configure VPN and supply the following:
VPN/Profile Name: A friendly name shown in Windows, e.g.
MyCorporateVPN.VPN/Profile XML: Paste the XML snippet that defines your VPN profile. This is where you specify the connection type (IKEv2, SSTP, etc.), EAP settings, and certificate-based authentication.
Below is a minimal example (using IKEv2 and a user certificate from SCEP). Adjust details to match your environment:
<VPNProfile>
<NativeProfile>
<Servers>vpn.contoso.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<AuthenticationMethod>MachineCertificate</AuthenticationMethod>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<ProfileName>MyCorporateVPN</ProfileName>
<RememberCredentials>true</RememberCredentials>
<AlwaysOn>true</AlwaysOn>
<DeviceTunnel>false</DeviceTunnel>
<RegisterDNS>true</RegisterDNS>
<DnsSuffix>contoso.com</DnsSuffix>
</VPNProfile>Servers: Replace with your actual VPN gateway or RADIUS endpoint.
AuthenticationMethod: Use
MachineCertificateorEapif you’re referencing EAP-based cert auth.ProfileName: This should match the “VPN Profile Name” or be descriptive of your environment.
Other Tags: Configure according to your networking needs (DNS suffix, split vs. force tunneling, etc.).
For advanced EAP configurations, you may need an
<EapConfig>XML block referencing EAP-TLS. See Microsoft’s VPNv2 CSP docs for examples.
Save & Deploy the Policy
Click Continue (or Review) and then Save to finalize.
Assign this policy to your desired device group(s).
Once deployed, Windows devices in that group will automatically install the new VPN profile and request a certificate from the SCEP server.
3. Verification & Testing
Check Certificate Enrollment
On a target Windows device, open Certificate Manager (
certmgr.msc) and confirm that a certificate from your SCEP CA is present under Personal > Certificates.
Test the VPN Connection
Open Settings > Network & Internet > VPN on the Windows device.
You should see the newly created VPN profile (e.g., “MyCorporateVPN”).
Click Connect. If everything is correct, the VPN should authenticate using the SCEP-issued certificate, contacting your RADIUS server for validation.
RADIUS Server Logs
Check your RADIUS logs for a successful EAP-TLS or IKEv2 auth.
If the connection fails, confirm that the RADIUS server trusts the same root CA that signed the clients’ certificates.
Connectivity
Once connected, verify you can access internal resources as expected.
If you enabled split tunneling, ensure only relevant traffic goes over the VPN, while other traffic still uses the local internet connection.
4. Troubleshooting
Certificate Not Issued
Verify your SCEP configuration: the server URL, challenge (if needed), and CA thumbprint.
Make sure your firewall allows the device to reach the SCEP endpoint.
VPN Connection Fails
Check that the VPN gateway domain (
vpn.contoso.comin the example) is correct.Ensure your RADIUS server is correctly configured for EAP certificate authentication.
Confirm the root or intermediate CA for the RADIUS server is installed on the client (and vice versa).
XML Errors
If you encounter an error uploading the XML, confirm that it is valid XML and complies with Microsoft’s VPNv2 schema.
Missing or incorrect tags (such as
<NativeProfile>,<Authentication>, or<EapConfig>) can break the profile.
5. What’s Next
Future Field-by-Field Configuration: In an upcoming release, you will be able to configure most VPN fields (servers, protocols, authentication settings) directly within the UI without needing to paste XML.
Additional SCEP Options: Depending on your SCEP provider, advanced settings (like subject alternative names or extended key usages) may be required. Keep these in sync with your RADIUS server’s certificate validation.
Contact Support: If you have questions or run into issues, reach out via Swif.ai Support or consult your organization’s IT team.
By following these steps, you’ll deliver a fully functional Windows VPN configuration, backed by certificate-based authentication through RADIUS and SCEP. This approach streamlines secure remote access, reduces password overhead, and enforces strong, certificate-driven security across your device fleet.