This guide covers the Aruba Central NAC configuration for EAP-TLS certificate-based Wi-Fi authentication with Microsoft Intune as the UEM - NAC identity store, roles, authorization policies, SSID, and SCEP setup.
Endpoint (Intune-managed - Windows / macOS / iOS)
│
│ SCEP certificate issued by Central NAC CA
▼
Aruba AP (802.1X EAP-TLS)
│
│ RADIUS authentication
▼
Aruba Central NAC
│
│ Compliance check via OAuth2
▼
Microsoft Intune / Entra ID
│
▼
Network access granted (role assigned by NAC policy)
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Endpoint (Intune-managed - Windows / macOS / iOS) │ │ SCEP certificate issued by Central NAC CA ▼ Aruba AP (802.1X EAP-TLS) │ │ RADIUS authentication ▼ Aruba Central NAC │ │ Compliance check via OAuth2 ▼ Microsoft Intune / Entra ID │ ▼ Network access granted (role assigned by NAC policy)" role="button" tabindex="0"></clipboard-copy>
Note
This guide covers Central NAC configuration only. For Microsoft Intune profiles and device enrollment, see microsoft-intune / eap-tls.
Important
Complete the prerequisites before starting this guide. The Entra ID App Registration (Tenant ID, Client ID, Client Secret) is required to configure the Aruba Central Intune extension and the NAC OAuth identity store. → microsoft-intune / prerequisites
- Active HPE GreenLake workspace with Aruba Central deployed
- Microsoft Entra ID App Registration configured - see microsoft-intune / prerequisites
- Active Microsoft Intune license
- Custom DNS domain verified in Entra ID
- Aruba APs managed in Aruba Central
| Component |
Role |
| Aruba Central NAC |
RADIUS server + NAC policy engine |
| Microsoft Intune |
UEM - certificate and Wi-Fi profile management |
| Microsoft Entra ID |
Identity directory + OAuth2 App Registration |
| SCEP |
Client certificate distribution protocol |
| EAP-TLS |
802.1X certificate-based authentication method |
Part 1 - Aruba Central - Intune Extension
1.1 Install the Microsoft Intune extension
Navigate to:
Aruba Central → Extensions → Available Extensions → Microsoft Intune → Install
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Aruba Central → Extensions → Available Extensions → Microsoft Intune → Install" role="button" tabindex="0"></clipboard-copy>
1.2 Configure the Intune extension
Enter the App Registration credentials from the prerequisites:
| Field |
Value |
| Tenant ID |
From Entra ID overview |
| Client ID |
Application (client) ID |
| Client Secret |
Value from prerequisites step 0.4 |
Part 2 - Aruba Central NAC Configuration
2.1 Configure OAuth Identity Store
Navigate to:
Central NAC → Configuration → Identity Management → Identity Stores → Create
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → Identity Management → Identity Stores → Create" role="button" tabindex="0"></clipboard-copy>
Configure the OAuth redirect URI in the Entra ID enterprise app.
Validate the OAuth token in Central NAC.
Navigate to:
Central NAC → Configuration → Roles → Create Role
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → Roles → Create Role" role="button" tabindex="0"></clipboard-copy>
2.3 Configure global NAC policy
Navigate to:
Central NAC → Configuration → Policies → Global Policy
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → Policies → Global Policy" role="button" tabindex="0"></clipboard-copy>
2.4 Create 802.1X SSID profile
Navigate to:
Aruba Central → Configuration → WLANs → Create SSID
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Aruba Central → Configuration → WLANs → Create SSID" role="button" tabindex="0"></clipboard-copy>
Configure the SSID with WPA3-Enterprise / 802.1X.
2.5 Create authorization policy
Navigate to:
Central NAC → Configuration → Authorization Policies → Create
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → Authorization Policies → Create" role="button" tabindex="0"></clipboard-copy>
2.6 Create EAP-TLS authentication profile
Navigate to:
Central NAC → Configuration → Authentication Profiles → Create Profile
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → Authentication Profiles → Create Profile" role="button" tabindex="0"></clipboard-copy>
Configure with EAP-TLS and the Intune Identity Store.
2.7 Verify Intune UEM connection
The Intune connection must show green status in Central NAC.
2.8 Retrieve SCEP URL and root CA certificate
Navigate to:
Central NAC → Configuration → SCEP
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Configuration → SCEP" role="button" tabindex="0"></clipboard-copy>
Download the root CA certificate - required for the Trusted Certificate profile in Intune.
Note
Keep both the SCEP URL and the root CA certificate - they are required in microsoft-intune / eap-tls for each platform guide.
Navigate to:
Central NAC → Monitoring → Clients
<clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w" value="Central NAC → Monitoring → Clients" role="button" tabindex="0"></clipboard-copy>
Authenticated clients should appear with their assigned NAC role.
Windows
macOS
iOS/iPadOS
For each platform, the client detail should show:
| Field |
Expected value |
| Status |
Accepted |
| Authentication Type |
EAP-TLS (Certificate) |
| Certificate Status |
Valid |
| Identity Store |
Luconik_EntraID |
| Assigned Role |
per authorization policy |
Sources
hpe-aruba-guides/central-nac-intune at main · Luconik/hpe-aruba-guides
| GitHub |
remove preview |
|
| hpe-aruba-guides/central-nac-intune at main · Luconik/hpe-aruba-guides |
| HPE Aruba guides - Central NAC/Intune, GreenLake SSO & Workspace - hpe-aruba-guides/central-nac-intune at main · Luconik/hpe-aruba-guides |
| View this on GitHub > |
|
|
------------------------------
Nicolas Culetto
Channel SE HPE Aruba Networking
France
------------------------------