Onboard a Windows device to a Wi-Fi network with certificates
In this topic, you will learn how to onboard using certificates, the self-onboarding portal, a Windows 10 computer, and a Wi-Fi network managed by Portnox™ Cloud.
To onboard to a network using a certificate, you need to generate, download, and install the user/device certificate, and then configure your operating system to connect to the network using this certificate. You can configure your operating system semi-automatically using provisioning or manually.
If you already downloaded and installed the certificate for the same device, for example, to authenticate with another type of network, you don’t need to install the certificate again and you should skip the relevant steps.
Download and install the certificate
In this section, you will generate, download, and install the user certificate on your device.
-
Enter the URL of the self-onboarding portal in your browser.
To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.
-
In Step 1, select the third option: CLEAR account certificate management
and click on the Next button.
- In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
-
If you have chosen Corporate email address:
Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
-
If you have chosen Corporate username and password:
-
Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your
device.
Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.
-
Double-click on the downloaded certificate file (for example, kosh.p12) to install it:
Result: You downloaded and installed the certificate.
Configure the connection with provisioning
In this section, you will use the self-onboarding portal to generate a provisioning file that configures your network for you.
You only need to configure your network once so if you do the steps in this section, you should skip the next section.
- Go back to Step 1 of the self-onboarding portal by clicking on the Back link.
-
In Step 1, select the second option: CLEAR account activation and Device
provisioning and click on the Next button.
Important: The Wi-Fi network in the group that the account belongs to must be configured for EAP-TLS authentication. For more information, see the following topic: Advanced network configuration.
- Follow the same steps as above to authenticate using your corporate email or corporate username and password.
-
Click on the tile in the Wireless Enrollment Profile section that represents the Windows
operating system to download the provisioning file ProfileInstaller.exe.
-
Run the downloaded ProfileInstaller.exe file.
Windows configures the network settings for the Wi-Fi network assigned to your Portnox Cloud group.
Result: Your Windows 10 computer is connected to a Wi-Fi network managed by Portnox Cloud.
Troubleshooting information: See the following topic: How to troubleshoot typical device onboarding issues.
Configure the connection manually
In this section, you will manually configure your network to use the installed certificate.
You only need to configure your network once so if you did the steps in the previous section, you should skip this section.
- Open the Windows 10 Network and Sharing Center ( ).
-
Click on the Set up a new connection or network link.
-
In the Set Up a Connection or Network window, select the Manually connect to a wireless
network option and click on the Next button.
-
In the Manually connect to a wireless network window, enter the name (SSID) of the network managed
by Portnox Cloud in the Network name field and select the WPA2-Enterprise
option in the Security type field. Then, click on the Next button.
-
Click on the Change connection settings link.
-
In the Wireless Network Properties window, click on the Security tab,
in the Choose a network authentication method field, select Microsoft: Smart Card
or other certificate, and click on the Settings button.
-
In the Smart Card or other Certificate Properties window, select the Use a certificate
on this computer option. Then, activate the Verify the server’s identity by validating the
certificate checkbox. Finally, in the Trusted Root Certification Authorities
list, find and activate the DigiCert Trusted Root G4 checkbox (the root CA certificate) and click on the
OK button.
Note: For extra security, we recommend that in addition to activating the DigiCert Trusted Root G4 certificate (the root CA certificate) on the Trusted Root Certification Authorities list, you also enter clear-rad.portnox.com in the Connect to these servers field. If so, only certificates that have this domain name in Subject or SAN will be trusted. Do not activate this checkbox leaving the field empty, because this will cause connectivity problems. To learn more about this option, read the following topic: Trusted certificate server names.
-
Click on the OK button to close the Smart Card or other Certificate
Properties window. Click again on the OK button to close the
Wireless Network Properties window. Click on the Close button to
close the Manually connect to a wireless network window.
You can do this step later, after you successfully connected to the network.
-
In the Windows Notification Area (System Tray), click on the network icon to open the list of available Wi-Fi networks,
and select the network configured in previous steps.
-
Click on the Connect button.
Result: Your Windows 10 computer is connected to a Wi-Fi network managed by Portnox Cloud.
Troubleshooting information: See the following topic: How to troubleshoot typical device onboarding issues.