Skip to main content
EAP-TLS with Microsoft Entra ID is EntryPoint’s certificate-based 802.1X variant for managed corporate fleets. The client device presents a certificate on the supplicant; EntryPoint validates the chain against the Trusted CAs uploaded to the Context and, crucially, matches the certificate’s bearer to a Microsoft Entra ID group you mapped to an EntryPoint Group. No password is ever typed or stored. Membership in the right Entra group is the entire authorization decision. It is designed for Organizations whose identity source is already Microsoft 365 / Entra ID and whose user or device posture is managed by Intune. The hero deployment shape is: employees on corporate laptops with MDM-enrolled user certificates, plus unattended kiosks and factory workstations on device certificates. Both types map to Entra groups you already maintain as part of your identity lifecycle.

The core idea — Groups mirror Entra groups

EntryPoint has a Group concept; Microsoft Entra has a group concept. The EAP-TLS-with-Entra variant ties the two together at authentication time:
  • One EntryPoint Group mirrors one Entra group. When you create the Group in the admin UI, the form asks you to pick an Entra group. The Entra group ID is stored on the EntryPoint Group (in its Dot1x settings).
  • Cert-bearer ↔ Entra user lookup. On authentication, EntryPoint validates the certificate chain, reads the user or device identifier from the cert, asks the Entra Graph API which groups that principal belongs to, and matches against the EntryPoint Group’s stored Entra group ID.
  • Per-Group Attribute Profile drives the RADIUS response. Every member of the Entra group inherits the Group’s VLAN / Security Group Tag via its Attribute Profile.
  • Entra is the source of truth. Add a user to the Entra group — they can authenticate to this Wi-Fi Group. Remove them from the Entra group — they can’t, starting on the next auth after the Graph API propagates the change.
You maintain the roster once, in Entra. EntryPoint follows.

Two Group types for two audiences

EAP-TLS in EntryPoint distinguishes two Group types, picked at Group creation:
Group typeCertificate identifiesHero use case
802.1X-TLS with User CertificateThe user (certificate subject names a person)Employees on managed laptops where MDM enrolls a per-user cert signed by your corporate PKI. The same user’s cert can ride on their laptop and their tablet.
802.1X-TLS with Device CertificateThe device (certificate names a device, not a user)Unattended equipment — kiosks, factory workstations, building-automation panels — plus a built-in MAB Device List fallback for headless gear (printers, phones) on the same SSID or switchport.
Typical Groups under each type:
  • User-cert Groups (mapped to Entra user groups): Corporate Staff, Finance, Engineering.
  • Device-cert Groups (mapped to Entra device groups): Managed Laptops, Reception Kiosks, Factory Workstations.
A single Context hosts both Group types side-by-side; the method choice lives on each Group.

Device Compliance Check — Intune posture at the RADIUS layer

When the Context’s Identity Store is Microsoft Entra ID, a single checkbox on the Identity Store configuration — Enable Device Compliance Check — turns the RADIUS service into a posture-gated enforcement point. With it on:
  • EAP-TLS device-certificate Groups reject devices whose Entra record says the device is not compliant (typically determined by Intune’s own compliance policy).
  • EAP-TLS user-certificate Groups reject when the user+device pair isn’t cleared by Entra.
Net result: the certificate chain proves the device / user is registered, and the compliance check proves the device is healthy. Both are checked on every authentication. The compliance-check feature is specifically a Microsoft Entra / Intune integration — the signal is Entra’s isCompliant-style attribute, read via the Graph API on each auth. See Device certificates and Intune.

Who operates EAP-TLS with Entra

Only Organization administrators. Unlike the PEAP variant, EAP-TLS Groups have no Self-Service portal — there’s nothing for an end-user to self-serve (no password, no personal account, no device to enroll themselves). Lifecycle stays in Entra. The admin-side work is bounded:
  1. Connect the Context to Entra — Entra connection.
  2. Upload the Trusted CAs your certificates chain to — Trusted certificates.
  3. Create one EntryPoint Group per Entra group that should have access. Pick the right type (user-cert vs device-cert).
  4. Attach the right Attribute Profile to each Group for VLAN / SGT assignment.
  5. Set up MAB devices inside Device-Cert Groups where needed.
After that, all membership changes happen in Entra.

What EAP-TLS-with-Entra is NOT

  • Not a certificate authority. EntryPoint validates certificates. It doesn’t issue them. Your corporate PKI (AD CS, SCEP, Intune cert-connector, a commercial CA) handles issuance; EntryPoint needs only the CA chain uploaded to the Context.
  • Not for audiences without Entra. If your user population isn’t in Entra, the per-firm EAP-PEAP variant is a better fit — local Personal PEAP Accounts, Self-Service for delegation.
  • Not a Self-Service product. EAP-TLS Groups have no Self-Service portal surface. If you want users to manage their own access, choose PEAP or iPSK.
  • Not a RADIUS appliance. EntryPoint is the RADIUS service. Attach your WLAN controllers and switches via RADIUS clients.

Prerequisites

  • An EntryPoint Context of type EntryPoint 2.0 (Dot1x PEAP, Entra) — see Creating a Context.
  • EAP-TLS toggled on in Configuration → Basic Configuration → Client Authentication Methods.
  • The Context’s Identity Store set to Microsoft Entra ID, with a working Directory (tenant) ID, Application (client) ID, and Client Secret pasted in. The Entra API Status card shows green. See Entra connection.
  • At least one Trusted CA certificate uploaded to the Context, covering the issuer of the certificates your devices present.
  • An Entra tenant with user-group or device-group memberships you can reference by Object ID. A user or device enrolled with a certificate signed by the trusted CA.

Where to go next

Entra group mapping

The shape that ties one EntryPoint Group to one Entra group.

User certificates

Per-user certs for employees; mapped to Entra user groups.

Device certificates & Intune

Per-device certs plus Device Compliance Check at the RADIUS layer.

MAB fallback inside Device-Cert

The MAC-based fallback for headless gear behind the same Group.