Skip to content
EAP-TLS — Device cert

EAP-TLS — Device certificate overview

EAP-TLS with a device certificate authenticates the machine rather than a person. The certificate names the device, EntryPoint validates it against the trusted certificate authorities, and the device is admitted with its group’s network policy. It is the variant for managed and unattended equipment, and it is where the MAC Authentication Bypass fallback for headless gear belongs.

At a glance

Credential
A certificate that names the device (machine certificate)
Identity source
Customer PKI; optional Microsoft Entra device groups
Compliance
Optional Microsoft Intune device-compliance check
Best for
Managed and unattended equipment — laptops, kiosks, workstations, plus headless gear via MAB
Self-service
Central administration
Status
Available

Each device carries a certificate whose subject identifies the device. On authentication, EntryPoint validates the certificate chain against the context’s trusted CAs, checks revocation, resolves the device to its group, and returns that group’s network policy. No password is exchanged, and there is no per-user account to manage — the trust is in the device’s certificate.

Group membership can be resolved locally or, where the connection is configured, against Microsoft Entra device groups. Device-compliance enforcement through Microsoft Intune is an optional layer on top — see the Entra connection.

Use a device-certificate group for equipment where the device, not a person, is the thing being trusted: managed laptops, kiosks, factory workstations, building-automation panels. Headless gear that cannot run 802.1X — printers, phones — is admitted through the MAB Device List that lives on the same group.

This variant identifies devices, not people. Where access should follow a person’s Microsoft Entra group membership, use EAP-TLS with Entra; where the audience has only passwords, use EAP-PEAP. All three can share a context.

Next