802.1X-PEAP— username + password accounts per Self-Service User.802.1X-TLS with User Certificate— per-user client certificate.802.1X-TLS with Device Certificate— per-device client certificate, with a built-in MAB Device List fallback inside the same Group.
When a mixed Context makes sense
Almost always, if you have more than one audience. The classic combined Dot1x Context covers three audiences at once:- Audiences whose identities aren’t cert-backed on PEAP Groups — employees on Entra, contractor firms, vendor teams, flex- workforce, event staff, student cohorts. Each audience is its own Group, self-administered by its own lead — see Groups per audience.
- Employees with managed laptops on EAP-TLS-with-User-Certificate Groups mapped to Entra groups. The user certificate is enrolled by your MDM. See EAP-TLS with Entra — overview.
- Unattended kiosks and factory workstations on EAP-TLS-with-Device-Certificate Groups, paired with the embedded MAB Device List for anything on the same SSID or switchport that can’t do 802.1X — printers, VoIP phones, sensors, BMS gear. See MAB fallback inside Device-Cert.
Enable EAP-TLS on a Context that already runs PEAP
Toggle EAP-TLS in Client Authentication Methods
The EAP-TLS master switch is next to the EAP-PEAP one. Turn
it on; leave EAP-PEAP on.
Save
Click Update Authentication Methods. New Group types become
available in the Create Group dropdown.
Upload Trusted CAs
EAP-TLS needs at least one CA certificate to validate client certs
against. See
Trusted certificates.
Where MAB lives
MAB (MAC Authentication Bypass) isn’t a Group type of its own in the admin UI. It lives as a MAB Device List tab inside every Dot1x Group — regardless of whether the Group is 802.1X-PEAP, 802.1X-TLS-with-User-Certificate, or 802.1X-TLS-with-Device-Certificate. Devices listed on a Group’s MAB tab authenticate by MAC address; the Group’s Attribute Profile determines the VLAN / SGT / policy they’re placed on, just like the 802.1X-authenticated devices in the same Group. The common deployment pattern is MAB inside a Device-Cert Group: a factory’s cert-authenticated workstations share the MAB list with the printer on the same switchport, and both land on the factory VLAN via the Group’s Attribute Profile. But the mechanism works equally well inside a PEAP Group — putting the office PEAP users and a VoIP phone on the same VLAN via one Group’s Attribute Profile is a legitimate shape. See MAB fallback inside Device-Cert for the full lifecycle of the MAB list and the typical Device-Cert deployment pattern.Attribute Profile reuse across method types
An Attribute Profile is Context-scoped — it doesn’t know what method a Group uses. You can attach VLAN 210 — Acme to an Acme Consulting PEAP Group and to a Device-Cert Group for Acme’s on-site kiosks, if those kiosks should land on the same VLAN. Profiles are about the RADIUS response; the authentication method is how the device gets to Access-Accept. This is especially useful for staged rollouts — an audience might start on PEAP (no MDM onboarding), then migrate specific users onto certificate auth later. Reuse the Profile and the VLAN treatment stays consistent through the migration.Audit and troubleshooting on a mixed Context
- The Context’s Audit Log captures every configuration change regardless of which Group type was touched.
- The Devices and Online counters on the Context overview aggregate across every Group.
- A RADIUS Access-Reject reads the same way for any method — entrypoint-diagnostics walks through the per-method checklists.
Related
EAP-TLS with Entra
Managed-device certificate Groups, mapped from Entra.
MAB fallback inside Device-Cert
The MAC-based fallback that rides inside Device-Cert Groups.
Trusted certificates
The CAs EntryPoint validates EAP-TLS client certs against.
Attribute Profiles
Reuse one Profile across PEAP, TLS, and MAB Groups.