Comparing variants
EntryPoint is one RADIUS service with several variants. Each variant matches a different way an audience proves who it is: a password, a certificate that names a device, a certificate that names a person, a per-group key, or a credential checked by a remote federation. A service context runs one variant; an organization typically runs several contexts side by side.
Pick the variant by the credential the audience already has, then by where its identity is resolved.
| Variant | Credential | Identity / backend | Best for | Delegated self-service | Status |
|---|---|---|---|---|---|
| EAP-PEAP | Username and password | Local accounts, optionally Microsoft Entra | Employees, contractors, and event staff without certificates | Yes — personal accounts and delegated group administration | Available |
| EAP-TLS — Device certificate | A certificate that names the device | Customer PKI; optional Entra device groups and Intune posture | Managed and unattended equipment — laptops, kiosks, headless gear (with MAB fallback) | Central | Available |
| EAP-TLS with Entra | A certificate that names the user | Microsoft Entra group membership; optional Intune posture | Employees on MDM-enrolled devices, BYOD gated on compliance | Central | Available |
| Cisco iPSK | A per-group pre-shared key, served over RADIUS | Local groups, with Cisco security group tags | IoT and device fleets on Cisco networks | Yes — group key and devices | Available |
| eduroam / RADIUS Proxy | Forwarded upstream | A remote RADIUS federation | Higher education and roaming federation | No | Available |
| EasyPSK via RADIUS | A per-Unit pre-shared key, served over RADIUS | Local Units (a group of up to 30 devices), on Meraki and Catalyst 9800 | Per-unit residential and shared-space Wi-Fi: one key per home, room, or desk cluster | Yes, per-Unit keys and devices | Available |
MAC Authentication Bypass (MAB) is not a variant of its own. It lives inside the Dot1x groups — most often the device-certificate groups — so that headless gear that cannot run 802.1X is admitted by its MAC address and inherits the group’s network policy alongside the certificate-authenticated devices.
Choosing between the two EAP-TLS variants
Section titled “Choosing between the two EAP-TLS variants”Both EAP-TLS variants use certificates and can resolve group membership against Microsoft Entra. The difference is what the certificate identifies:
- A device certificate names the machine. Use it for managed or unattended equipment where the device, not a person, is the thing being trusted. This is also where the MAB fallback for headless gear belongs.
- A user certificate with Entra names the person. Use it for employees on managed devices, where access follows the user’s Entra group membership and, optionally, the device’s Intune compliance state.
A single context can run EAP-PEAP and EAP-TLS together, so a mixed fleet — employees on certificates, contractors on passwords, headless gear on MAB — is served from one RADIUS service.
Related sections
Section titled “Related sections”- EAP-PEAP, EAP-TLS — Device certificate, and EAP-TLS with Entra.
- Cisco iPSK and eduroam / RADIUS Proxy.
- EasyPSK via RADIUS: the EntryPoint 2.0 (EasyPSK) context for per-unit residential and shared-space keys.
- Setup and requirements: the prerequisites shared across the 802.1X variants.