Setup EAP-TLS with device certificate

Documentation Index

Fetch the complete documentation index at: https://wiki.netgraph-connect.com/llms.txt

Use this file to discover all available pages before exploring further.

The EntryPoint RADIUS service for 802.1X (EAP-TLS) with a device certificate ensures that only authorised devices can access your network by validating certificates issued to each device by your PKI. Authorisation lives in the certificate itself — no per-user account, no backend identity store lookup. The device’s certificate carries a Certificate Group Identifier that the EntryPoint Group matches against. This guide walks the entire setup, end to end: Microsoft Cloud PKI, Intune SCEP and trusted certificate profiles, the Wi-Fi profile, the EntryPoint Context, RADIUS network integration and the device certificate Group.

​

1. Create a Microsoft Cloud PKI (Root + Issuing CA)

To issue client certificates to managed devices, your environment needs both a Root Certificate Authority (trust anchor) and an Issuing Certificate Authority (which actually signs device certificates). If you already operate a PKI — on-premises or cloud-based — you can reuse it. The example below shows Microsoft Cloud PKI. In the Microsoft Intune admin center, open Tenant administration → Cloud PKI.

​

Example: Root CA

Follow Microsoft’s official guide to create the Root CA. When finished, click Download certificate — you’ll need the Root CA cert later when configuring EntryPoint.

​

Example: Issuing CA

The Issuing CA signs certificates for Intune-managed devices. Microsoft Cloud PKI automatically provides a SCEP service that acts as a certificate registration authority — it requests certificates from the Issuing CA on behalf of Intune-managed devices using a SCEP profile. Follow Microsoft’s guide to create the Issuing CA. When finished:

• Click Download certificate — you’ll need it later.
• Copy both the CRL distribution point URI and the SCEP URI — they’re needed in the EntryPoint configuration.

​

2. Create a SCEP certificate profile — device (Windows)

The SCEP certificate profile tells Intune to enroll a device certificate which the device later presents to EntryPoint during EAP-TLS authentication. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new SCEP certificate profile. Use the SCEP URI copied in the previous step. Configure the subject as follows:

• Subject Name Format: CN={{AAD_Device_ID}}#tls-device#<Certificate Group Identifier>

The #tls-device# token tells EntryPoint to use the <Certificate Group Identifier> value to find the EntryPoint Group that the certificate is mapped to. You’ll define the same identifier on the Group in step 9.

​

3. Create a Trusted certificate profile — RADIUS Server Certificate (Windows)

The Trusted certificate profile tells Windows to trust the certificate EntryPoint presents during the TLS handshake. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Trusted certificate profile.

​

4. Create a Trusted certificate profile — Root CA Certificate (Windows)

A second Trusted certificate profile distributes the Root CA certificate (downloaded in step 1) to managed Windows devices. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Trusted certificate profile. Upload the Root CA certificate downloaded in step 1.

​

5. Create a Wi-Fi profile (Windows)

The Wi-Fi profile pushes the SSID configuration to managed Windows devices, telling them to authenticate against EntryPoint using EAP-TLS. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Wi-Fi profile. The example below shows an “Acme Enterprise WiFi” profile — substitute your own SSID and adjust the trust settings to your deployment.

​

6. Create an EntryPoint Context

Sign in to the admin dashboard and create a new EntryPoint RADIUSaaS Context.

​

Switch to EntryPoint RADIUSaaS

In the Services menu, switch to EntryPoint – RADIUSaaS.

​

Create a new Context

Under Context, click Create. Choose the EntryPoint 2.0 (Dot1x PEAP, Entra) Context type, give your network a name, and click Create Context.

​

Enable EAP-TLS with Device certificate

In Context Configuration → Client Authentication Methods, enable EAP-TLS and select Device certificate. Click Update Authentication Methods. Device certificates don’t require a backend identity store — the certificate is the identity. Skip the Backend Identity Store configuration.

​

7. Configure 802.1x Authentication (EAP-TLS)

This step establishes trust between the EntryPoint Context and Microsoft Cloud PKI so the Context validates client certificates issued by Intune.

​

Open Context configuration

Sign in to the admin dashboard, locate the Context created in step 6 and click Context configuration.

​

Configure the SSID

Open 802.1x Authentication. On the SSID tab, enter your SSID name and click Update Dot1x SSID name to save.

​

Open the EAP-TLS tab

Switch to the EAP-TLS tab to add the trusted CAs.

​

Upload the Root and Issuing CA certificates

Upload the Root and Issuing CA certificates downloaded in step 1. Click Add Trusted CA → Change Certificate and paste the certificate in PEM format. Repeat for both the Root CA and the Issuing CA.

​

Configure the CRL distribution point

Paste in the CRL distribution point URI copied from step 1 and click Update Cert Revocation URL to save.

​

8. Configure Network Integration

Network Integration connects your WLAN infrastructure to EntryPoint via three components:

• RADIUS Client Secret — shared secret for the RADIUS protocol between your WLAN controller and EntryPoint.
• RADIUS Server Certificate — presented by EntryPoint during the TLS handshake. You can supply your own or use the built-in.
• RadSec — optional. RADIUS over TLS for encrypted transport between the RADIUS client and EntryPoint, protecting against eavesdropping and man-in-the-middle attacks.

​

Open Context configuration

Sign in to the admin dashboard, locate the Context and click Context configuration. Open Network Integration → Basic Settings. The panel shows the RADIUS Hostname, Authentication Port, Accounting Port and RadSec Port you’ll configure on your WLAN controller.

​

Set the RADIUS Client Secret

Enter your RADIUS Client Secret and save.

​

Upload a RADIUS Server Certificate

Open RADIUS Service → Server Certificate. Click Change certificate for both Certificate and Private Key and paste in your RADIUS Server Certificate and key in PEM format. If you don’t have your own certificate, use the built-in default that ships with the Context.

​

Enable RadSec (optional)

Enable RadSec and upload your infrastructure certificate. If you haven’t obtained the RADIUS Server Certificate yet, download it from EntryPoint via Download Server Certificate and configure RadSec on your WLAN infrastructure accordingly.

​

9. Create the Device Certificate Group

The device certificate Group is what the certificate’s Certificate Group Identifier matches against. Every device issued a certificate with the matching identifier ends up in this EntryPoint Group, inheriting its Attribute Profile.

​

Open the Context and add a Group

Sign in, open the Context and click Add Group on the left.

​

Create a 802.1X-TLS with Device Certificate Group

In the drop-down menu, select 802.1X-TLS with Device Certificate. Name the Group and click Create TLS Device Certificate Group.

​

Group created

The Group — Consultants with cert in this example — appears in the Context’s Group list.

​

Group Settings — set the Certificate Group Identifier

On the Group Settings tab you can:

• Attach pre-configured Group Attribute Profiles.
• Set the Certificate Group Identifier — the string the SCEP profile writes into the certificate’s Subject Alternative Name (the <Certificate Group Identifier> token from step 2). Devices whose certificate carries this identifier are placed in this EntryPoint Group.
• Rename the Group.
• Remove the Group via Remove Group.

​

Related