The Challenge
When a professional sports team began planning its new stadium office building, IT leadership made an early architectural decision: the new facility would launch with certificate-based Wi-Fi authentication from day one, rather than repeating the password-based model used in the previous environment.
That decision immediately introduced a set of execution challenges tied to speed, complexity, and infrastructure constraints:
- On-prem CA avoidance: The CIO wanted to avoid deploying and maintaining an on-premises certificate authority, making cloud-based authentication a must.
- Dual-MDM complexity: Windows devices ran on Intune, and Mac devices ran on JumpCloud. Any PKI solution needed to support both platforms without forcing a consolidation effort.
- Quarantine enforcement: The network team required strict access segmentation. Devices without valid certificates needed to be automatically placed into a quarantine VLAN with internet-only access that was cut off from internal resources to adhere to tight cybersecurity requirements.
The Solution
Following the initial discovery call, the team hired SecureW2 to implement a cloud PKI solution that would support certificate-based Wi-Fi for the new stadium office building. The completed a proof of concept within three days using the JoinNow Dynamic PKI.
The configuration included integration with Microsoft Intune to support Windows device certificate enrollment through intermediate CAs, certificate templates, and SCEP profiles. Windows certificate deployment functioned as expected from the start, with devices automatically receiving certificates for EAP-TLS authentication.
The existing network infrastructure, which included Aruba ClearPass, remained in place to validate certificates against the SecureW2 certificate chain for Wi-Fi access. This allowed certificate-based authentication to operate within the current RADIUS environment without requiring changes to the wireless core.
For Mac devices managed through JumpCloud, certificate deployment required a custom configuration approach due to limitations in native WPA2-Enterprise certificate support. A follow-up session established a repeatable process for distributing certificates to Mac endpoints through JumpCloud.
Across both device platforms, SecureW2 provided a unified cloud PKI layer to issue and manage certificates for Wi-Fi authentication. Devices without valid certificates were routed into a quarantine VLAN with internet-only access, ensuring enforcement of network access policies based on identity and certificate status.
The Results
- No on-premises CA: Cloud-based Dynamic PKI eliminated the need to build and maintain an internal certificate authority
- Dual-MDM support: Intune (Windows) and JumpCloud (Mac) both deliver certificates from the same PKI platform
- ClearPass integration: Existing RADIUS infrastructure stayed in place with SecureW2 providing the PKI layer
- Quarantine VLAN enforcement: Devices without valid certificates route to an internet-only VLAN with no internal resource access
With the new building operational and certificate-based Wi-Fi running across both MDMs, the franchise plans to migrate from ClearPass to SecureW2 Cloud RADIUS. That migration will consolidate certificate issuance and authentication under one vendor, reducing the number of systems the network team manages while adding real-time identity verification at every connection.