Skip to main content

Documentation Index

Fetch the complete documentation index at: https://wiki.netgraph-connect.com/llms.txt

Use this file to discover all available pages before exploring further.

The EntryPoint RADIUS service for 802.1X (EAP-TLS) with Microsoft Entra ID ensures that only authorised devices can access your network by validating client certificates and tying authorisation to Microsoft Entra group membership. Microsoft Entra ID handles identity verification (User Principal Name) and device compliance (Entra Device ID). This guide walks the entire setup, end to end: Graph API credentials, Microsoft Cloud PKI, Intune certificate profiles, the Wi-Fi profile, the EntryPoint Context, RADIUS network integration and the Entra group mapping.
Modifications to the Microsoft environment should be performed by personnel with appropriate technical expertise to ensure a correct configuration and to mitigate the risk of unintended operational impacts.

1. Create Microsoft Graph API credentials and permissions

This step establishes the credentials and permissions for the Microsoft Graph API in the Microsoft Entra admin center. The generated Directory (Tenant) ID, Application (Client) ID and client secret are needed later when configuring EntryPoint.
1

Access App Registrations

In the Microsoft Entra admin center, navigate to the App registrations section.
Microsoft Entra admin center, App registrations section
2

Register a new application

Click New registration, give the application a name and complete the registration.
Register an application form in Microsoft Entra
3

Record the Directory (Tenant) ID

Copy the Directory (Tenant) ID value shown on the registered application — you’ll paste it into EntryPoint later.
Application overview page in Microsoft Entra showing the Directory (Tenant) ID value
4

Record the Application (Client) ID

Copy the Application (Client) ID value as well.
Application overview page in Microsoft Entra showing the Application (Client) ID value
5

Open API permissions

Navigate to API permissions and click Add a permission.
API permissions section of the registered application with Add a permission action
6

Select Microsoft Graph

Click the Microsoft Graph icon.
Request API permissions dialog with the Microsoft Graph icon highlighted
7

Add three Application permissions

Choose Application permissions and search for the following, adding each one in turn:
  • User.Read.All
  • Group.Read.All
  • Directory.Read.All
Click Add permissions once all three are selected.
Application permissions tab with the search field for User.Read.All
User.Read.All permission selected in the Application permissions list
Group.Read.All and Directory.Read.All permissions selected
8

Grant admin consent

The API permissions list now shows each entry as Not granted for …. Click Grant admin consent for … to authorise them.
Configured permissions list showing Not granted status and a Grant admin consent button
9

Confirm the consent

Accept the confirmation dialog by clicking Yes.
Grant admin consent confirmation dialog
10

Verify the status

The status now reads Granted for … for each permission.
API permissions list with green Granted status for each of the three permissions
11

Create a client secret

Open Certificates & secrets in the left panel and click New client secret.
Certificates and secrets section with the New client secret action
12

Configure the secret expiry

Enter a description, pick an expiry, then click Add.
Add a client secret form with description and expiry fields
13

Copy the secret Value

Copy the Value of the secret immediately — it’s only visible once. You’ll paste it into EntryPoint later.
New client secret listed with its Value column highlighted for copying

2. Create a Microsoft Cloud PKI (Root + Issuing CA)

To issue client certificates to managed devices, your environment needs both a Root Certificate Authority (trust anchor) and an Issuing Certificate Authority (which actually signs device certificates). If you already operate a PKI — on-premises or cloud-based — you can reuse it. The example below shows Microsoft Cloud PKI. In the Microsoft Intune admin center, open Tenant administration → Cloud PKI.
Microsoft Intune admin center Cloud PKI section

Example: Root CA

Follow Microsoft’s official guide to create the Root CA. When finished, click Download certificate — you’ll need the Root CA cert later when configuring EntryPoint.
Cloud PKI Root CA detail page in Microsoft Intune admin center

Example: Issuing CA

The Issuing CA signs certificates for Intune-managed devices. Microsoft Cloud PKI automatically provides a SCEP service that acts as a certificate registration authority — it requests certificates from the Issuing CA on behalf of Intune-managed devices using a SCEP profile. Follow Microsoft’s guide to create the Issuing CA. When finished:
  • Click Download certificate — you’ll need it later.
  • Copy both the CRL distribution point URI and the SCEP URI — they’re needed in the EntryPoint configuration.
Cloud PKI Issuing CA detail page showing SCEP URI and CRL distribution point values

3. Create a SCEP certificate profile — device (Windows)

The SCEP certificate profile tells Intune to enroll a device certificate, which the device later presents to EntryPoint during EAP-TLS authentication. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new SCEP certificate profile.
Microsoft Intune admin center Configuration section under Devices > By Platform > Windows
Use the SCEP URI copied in the previous step. Configure the subject as follows:
  • Subject Name Format: CN={{UserPrincipalName}}##{{AAD_Device_ID}}
  • Subject Alternative Name: Attribute User principal name (UPN), value {{UserPrincipalName}}#tls-user#{{AAD_Device_ID}}
The #tls-user# token tells EntryPoint to use the backend identity check — in this case, Microsoft Entra.
Use the Subject Alternative Name to avoid problems with long values that don’t fit in the Subject Name Format field.
Example SCEP certificate profile in Intune with Subject Name Format and Subject Alternative Name configured

4. Create a Trusted certificate profile — RADIUS Server Certificate (Windows)

The Trusted certificate profile tells Windows to trust the certificate EntryPoint presents during the TLS handshake. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Trusted certificate profile.
Microsoft Intune admin center Configuration section ready to create a new profile
If you don’t yet have your own RADIUS server certificate, you can use the default certificate that ships with the EntryPoint Entra ID Context — return to this step once it’s in place.
Example Trusted certificate profile in Intune for the RADIUS Server certificate

5. Create a Trusted certificate profile — Root CA Certificate (Windows)

A second Trusted certificate profile distributes the Root CA certificate (downloaded in step 2) to managed Windows devices. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Trusted certificate profile.
Microsoft Intune admin center Configuration section ready to create a Trusted certificate profile
Upload the Root CA certificate downloaded in step 2.
Example Trusted certificate profile in Intune with the Root CA certificate uploaded

6. Create a Wi-Fi profile (Windows)

The Wi-Fi profile pushes the SSID configuration to managed Windows devices, telling them to authenticate against EntryPoint using EAP-TLS. In the Microsoft Intune admin center, navigate to Devices → By Platform → Windows → Manage devices → Configuration. Click Create and configure a new Wi-Fi profile.
Microsoft Intune admin center Configuration section ready to create a Wi-Fi profile
The example below shows an “Acme Enterprise WiFi” profile — substitute your own SSID and adjust the trust settings to your deployment.
Example Wi-Fi profile in Intune named Acme Enterprise WiFi with EAP-TLS authentication

7. Create an EntryPoint Context

Sign in to the admin dashboard and create a new EntryPoint RADIUSaaS Context.

Switch to EntryPoint RADIUSaaS

In the Services menu, switch to EntryPoint – RADIUSaaS.
Services menu in the admin dashboard with EntryPoint RADIUSaaS selected

Create a new Context

Under Context, click Create. Choose the EntryPoint 2.0 (Dot1x PEAP, Entra) Context type, give your network a name, and click Create Context.
Create Context dialog with the EntryPoint 2.0 (Dot1x PEAP, Entra) type selected

Enable EAP-TLS

In Context Configuration, open Client Authentication Methods. Enable EAP-TLS and choose User Certificate with Backend Identity Store. Click Update Authentication Methods.
Client Authentication Methods configuration with EAP-TLS enabled and User Certificate with Backend Identity Store selected

Select the Identity Store

In Backend Identity Store, select Microsoft Entra ID from the Identity Store drop-down.
Backend Identity Store selector with Microsoft Entra ID chosen

Fill in the Entra API credentials

Paste in the values you recorded in step 1:
  • Directory (Tenant) ID.
  • Application (Client) ID.
  • Client secret value.
Entra API credentials form with Directory ID, Client ID and Client Secret fields
Click Update Identity Store to save.
Identity Store configuration with Update Identity Store button after the credential fields are filled

8. Configure 802.1x Authentication (EAP-TLS)

This step establishes trust between the EntryPoint Context and Microsoft Cloud PKI so the Context recognises client certificates issued by Intune.
EntryPoint Context configuration overview

Open Context configuration

Sign in to the admin dashboard, locate the Context created in step 7 and click Context configuration.
Context list with the Context configuration button highlighted

Configure the SSID

Open 802.1x Authentication. On the SSID tab, enter your SSID name and click Update Dot1x SSID name to save.
SSID tab under 802.1x Authentication with SSID name input and Update Dot1x SSID name button

Open the EAP-TLS tab

Switch to the EAP-TLS tab to add the trusted CAs.
EAP-TLS tab under 802.1x Authentication

Upload the Root and Issuing CA certificates

Upload the Root and Issuing CA certificates downloaded in step 2.
Only PEM-format certificates are supported. Convert DER format using:
  • macOS / Linux: openssl x509 -inform der -in <name>.cer -out <name>.pem
  • Windows: certutil.exe -encode <name>.cer <name>.pem
Click Add Trusted CA → Change Certificate and paste the certificate in PEM format. Repeat for both the Root CA and the Issuing CA.
Trusted CA upload dialog with a Change Certificate field accepting PEM-format input
Trusted CA list after both Root and Issuing CA have been added

Configure the CRL distribution point

Paste in the CRL distribution point URI copied from step 2 and click Update Cert Revocation URL to save.
Cert Revocation URL field with the CRL distribution point URI

9. Configure Network Integration

Network Integration connects your WLAN infrastructure to EntryPoint via three components:
  • RADIUS Client Secret — shared secret for the RADIUS protocol between your WLAN controller and EntryPoint.
  • RADIUS Server Certificate — presented by EntryPoint during the TLS handshake. You can supply your own or use the built-in.
  • RadSec — optional. RADIUS over TLS for encrypted transport between the RADIUS client and EntryPoint, protecting against eavesdropping and man-in-the-middle attacks.

Open Context configuration

Sign in to the admin dashboard, locate the Context and click Context configuration.
Context list with Context configuration button highlighted
Open Network Integration → Basic Settings. The panel shows the RADIUS Hostname, Authentication Port, Accounting Port and RadSec Port you’ll configure on your WLAN controller.
Network Integration Basic Settings panel showing RADIUS Hostname and ports

Set the RADIUS Client Secret

Enter your RADIUS Client Secret and save.
RADIUS Client Secret input field

Upload a RADIUS Server Certificate

Open RADIUS Service → Server Certificate. Click Change certificate for both Certificate and Private Key and paste in your RADIUS Server Certificate and key in PEM format.
Convert formats with openssl or certutil:
  • DER → PEM (Linux/macOS): openssl x509 -inform der -in <name>.cer -out <name>.pem
  • DER → PEM (Windows): certutil.exe -encode <name>.cer <name>.pem
  • PEM → DER (Linux/macOS): openssl x509 -outform der -in <name>.pem -out <name>.crt
  • PEM → DER (Windows): certutil.exe -decode <name>.pem <name>.crt
If you don’t have your own certificate, use the built-in default that ships with the Context.
RADIUS Server Certificate upload UI with Certificate and Private Key fields

Enable RadSec (optional)

Enable RadSec and upload your infrastructure certificate. If you haven’t obtained the RADIUS Server Certificate yet, download it from EntryPoint via Download Server Certificate and configure RadSec on your WLAN infrastructure accordingly.
RadSec configuration panel

10. Map Entra groups to EntryPoint Groups

Authorisation is decided by Entra group membership: one EntryPoint Group mirrors one Entra group.

Open the Context and add a Group

Sign in, open the Context and click Add Group on the left.
Context page with the Add Group action highlighted

Select the Entra group

In the drop-down, select the Entra group you want to add and click Add Entra Group.
Add Entra Group dialog with a drop-down listing available Entra groups

Members can now authenticate

Users in the chosen Entra group — Employees in this example — now have the permissions required to authenticate against this Context.
Group list showing the newly added Employees Entra group with member counts

Group Settings

On the Group Settings tab you can attach pre-configured Group Attribute Profiles, rename the Group, or remove it by clicking Remove Group.
Group Settings tab with Group Attribute Profiles, Group Name and Remove Group controls

EAP-TLS with Entra overview

The concepts behind certificate-based 802.1X with Entra ID groups.

Entra group mapping

How one EntryPoint Group mirrors one Entra group.

Device certificates and Intune

Device-cert specifics and Device Compliance Check.

Trusted certificates

Uploading the CA chain the Context validates against.