EAP-TLS — Device certificate overview
EAP-TLS with a device certificate authenticates the machine rather than a person. The certificate names the device, EntryPoint validates it against the trusted certificate authorities, and the device is admitted with its group’s network policy. It is the variant for managed and unattended equipment, and it is where the MAC Authentication Bypass fallback for headless gear belongs.
At a glance
- Credential
- A certificate that names the device (machine certificate)
- Identity source
- Customer PKI; optional Microsoft Entra device groups
- Compliance
- Optional Microsoft Intune device-compliance check
- Best for
- Managed and unattended equipment — laptops, kiosks, workstations, plus headless gear via MAB
- Self-service
- Central administration
- Status
- Available
How it works
Section titled “How it works”Each device carries a certificate whose subject identifies the device. On authentication, EntryPoint validates the certificate chain against the context’s trusted CAs, checks revocation, resolves the device to its group, and returns that group’s network policy. No password is exchanged, and there is no per-user account to manage — the trust is in the device’s certificate.
Group membership can be resolved locally or, where the connection is configured, against Microsoft Entra device groups. Device-compliance enforcement through Microsoft Intune is an optional layer on top — see the Entra connection.
Who it is for
Section titled “Who it is for”Use a device-certificate group for equipment where the device, not a person, is the thing being trusted: managed laptops, kiosks, factory workstations, building-automation panels. Headless gear that cannot run 802.1X — printers, phones — is admitted through the MAB Device List that lives on the same group.
What it is not
Section titled “What it is not”This variant identifies devices, not people. Where access should follow a person’s Microsoft Entra group membership, use EAP-TLS with Entra; where the audience has only passwords, use EAP-PEAP. All three can share a context.
Prerequisites
Section titled “Prerequisites”- A PKI issuing device certificates, the trusted CAs uploaded to the context, and a CRL endpoint — see Certificates & PKI.
- The network equipment pointed at the context — see RADIUS clients & RadSec.
- Optionally, the Entra connection for Entra device groups and Intune compliance.
Where to go next
Section titled “Where to go next”- Device-cert groups & MAB: how groups are matched and how the MAB fallback works.
- Comparing variants: device certificate versus user certificate.