Groups & self-service
EAP-PEAP is organised around groups, one per audience. Each group carries the network policy its members receive and can be handed to that audience’s own lead to run, so day-to-day account management does not fall on central IT.
Groups per audience
Section titled “Groups per audience”A PEAP group represents one audience — employees, a contractor firm, a vendor team, an event cohort. Each group has:
- An Attribute Profile that defines the network policy returned on a successful authentication, such as a VLAN (tunnel attributes) or a Cisco security group tag.
- A roster of members, managed centrally or delegated to the group’s administrator.
- A group name and lifecycle controls, so a group can be renamed or retired when the audience changes.
Attribute Profiles are defined once and reused across groups; they present the attribute as a standard value or a vendor-specific pair (for example a Cisco security group tag) and are covered in the administration model.
Personal accounts
Section titled “Personal accounts”A PEAP group can issue each member an individual set of credentials — a personal account — rather than sharing one set. Members manage their own password through the Self-Service Portal, which keeps credentials individual and revocable without disturbing the rest of the group.
Self-service enrollment and delegation
Section titled “Self-service enrollment and delegation”Two mechanisms reduce the central administration load:
- Self-service enrollment can be enabled so that a new user is assigned into the group automatically on first sign-in to the Self-Service Portal, rather than being added by hand. Users can also be added and assigned manually where tighter control is wanted.
- Delegated administration lets the audience’s lead act as a group administrator in the Self-Service Portal, managing their own members while the organization administrator retains overall control of the context. The roles are described in Roles and Administration Levels.
What members see
Section titled “What members see”Through the Self-Service Portal, a member can set up the connection using the group’s SSID and their credentials, monitor their connected devices in real time (status, IP and MAC address, last seen), and manage their password. The portal provides the connection guidance so members can get on the network without an IT ticket.
Auditing
Section titled “Auditing”Group creation and configuration changes are recorded in the configuration audit log with the actor, the action, and before-and-after values, and every authentication attempt is recorded in the authentication log.
Related sections
Section titled “Related sections”- EAP-PEAP overview.
- Entra connection: backing PEAP groups with Entra membership.
- EAP-TLS with Entra: combining PEAP and certificate-based access on one context.