Skip to content
Reference

Comparing variants

EntryPoint is one RADIUS service with several variants. Each variant matches a different way an audience proves who it is: a password, a certificate that names a device, a certificate that names a person, a per-group key, or a credential checked by a remote federation. A service context runs one variant; an organization typically runs several contexts side by side.

Pick the variant by the credential the audience already has, then by where its identity is resolved.

VariantCredentialIdentity / backendBest forDelegated self-serviceStatus
EAP-PEAPUsername and passwordLocal accounts, optionally Microsoft EntraEmployees, contractors, and event staff without certificatesYes — personal accounts and delegated group administrationAvailable
EAP-TLS — Device certificateA certificate that names the deviceCustomer PKI; optional Entra device groups and Intune postureManaged and unattended equipment — laptops, kiosks, headless gear (with MAB fallback)CentralAvailable
EAP-TLS with EntraA certificate that names the userMicrosoft Entra group membership; optional Intune postureEmployees on MDM-enrolled devices, BYOD gated on complianceCentralAvailable
Cisco iPSKA per-group pre-shared key, served over RADIUSLocal groups, with Cisco security group tagsIoT and device fleets on Cisco networksYes — group key and devicesAvailable
eduroam / RADIUS ProxyForwarded upstreamA remote RADIUS federationHigher education and roaming federationNoAvailable
EasyPSK via RADIUSA per-Unit pre-shared key, served over RADIUSLocal Units (a group of up to 30 devices), on Meraki and Catalyst 9800Per-unit residential and shared-space Wi-Fi: one key per home, room, or desk clusterYes, per-Unit keys and devicesAvailable

MAC Authentication Bypass (MAB) is not a variant of its own. It lives inside the Dot1x groups — most often the device-certificate groups — so that headless gear that cannot run 802.1X is admitted by its MAC address and inherits the group’s network policy alongside the certificate-authenticated devices.

Both EAP-TLS variants use certificates and can resolve group membership against Microsoft Entra. The difference is what the certificate identifies:

  • A device certificate names the machine. Use it for managed or unattended equipment where the device, not a person, is the thing being trusted. This is also where the MAB fallback for headless gear belongs.
  • A user certificate with Entra names the person. Use it for employees on managed devices, where access follows the user’s Entra group membership and, optionally, the device’s Intune compliance state.

A single context can run EAP-PEAP and EAP-TLS together, so a mixed fleet — employees on certificates, contractors on passwords, headless gear on MAB — is served from one RADIUS service.

Next