Body
The BakerDist SSID uses certificate-based authentication to grant users access without needing to enter user credentials. If a user fails to connect, they either do not have a valid certificate assigned to them, or they are failing to pass the access rules set in Meraki Access Manager. In very rare circumstances, the connection could fail due to Access Manager being unreachable, but this would affect ALL users.
When a user communicates a connection failure, these are the things to check:
Does the user have the managed BakerDist Wi-Fi profile?
Check the known Wi-Fi networks on the user's device. If the user is trying to connect without a company policy Wi-Fi configuration present, they likely are missing the needed device/user certificates.
Does the user have valid certificates?
Certificates are assigned to users that are logged into an Intune-managed device. There are 4 total certificates that need to be on the user's machine, 3 of which will be assigned to all devices, and the fourth being assigned directly to the user that is currently logged in. Here is how to check if they are assigned:
- Remote in to the user's computer
- Press Win + R, run certmgr.msc
- Check the 'Personal' certificate store and verify the user certificate is present. The 'Issued To' field should match their email address.
- If the user certificate is not present, check both the 'Trusted Root Certification Authorities' store and the 'Intermediate Certification Authorities' store. The Trusted Root store should have device certificates 'Issued To' bakerdist.com and IdenTrust Commercial Root CA 1. The Intermediate store should have a device certificate issued to Baker Distributing Intermediate CA.
If any certificate is not in their respective certificate stores, find the device in Intune and run a manual sync. The configuration policies will be deployed in a set order, so depending on what is missing from the steps described above, it may take a while to receive them all. For reference, the deployment order is:
1. bakerdist.com and IdenTrust Commercial Root CA 1
2. Baker Distributing Intermediate CA
3. User SCEP CA (User certificate)
4. BakerDist Wi-Fi profile
Each configuration push down this chain will remain as a pending change until the previous step is reported as successful. If the Intune sync stalls or does not push any changes within a few minutes, restart the user's computer and start a new sync.
Once the device has all of the certificates and the Wi-Fi profile, test the connection to the BakerDist SSID. If it is still failing, escalate the issue to Infrastructure for further investigation.