EntryPoint (RADIUS-as-a-Service)
EntryPoint is a cloud-hosted RADIUS service. It authenticates devices and users onto the network using 802.1X, MAC Authentication Bypass, Identity PSK, or RADIUS proxy, without the organization running or maintaining its own RADIUS servers. Because EntryPoint speaks standard RADIUS, it works with RADIUS-capable network equipment from Cisco and other major vendors; the Identity PSK and security-group capabilities are specific to Cisco networks.
Service at a glance
- Purpose
- Cloud RADIUS for enterprise network access, without running your own RADIUS
- Variants
- 802.1X (EAP-PEAP, EAP-TLS) Available · RADIUS proxy / eduroam Available · Identity PSK Available · EasyPSK via RADIUS Available
- Best for
- Employee 802.1X, BYOD, contractors, IoT fleets, federation (eduroam)
- Licensed by
- Per active endpoint (minimum 100)
- Key prerequisite
- A Cisco network whose controller can reach EntryPoint over RADIUS
- Data location
- Global Cloud, or Nordic Sovereign Cloud (data in Sweden)
1. Purpose and use cases
Section titled “1. Purpose and use cases”EntryPoint replaces on-premises RADIUS infrastructure with a managed cloud service. It is used for employee 802.1X on wired and wireless networks, BYOD and contractor onboarding, per-group Identity PSK for IoT fleets, and federated access such as eduroam. Each scenario is served by a variant tuned to that access model.
2. Service scope and variants
Section titled “2. Service scope and variants”An EntryPoint service context is one RADIUS service of one variant. An organization typically runs several contexts, for example one for employee 802.1X and one for IoT Identity PSK.
| Variant | Authentication | Typical use | Status |
|---|---|---|---|
| 802.1X (EAP-PEAP) | Username and password | Employees, contractors, event staff | Available |
| 802.1X (EAP-TLS) | Device or user certificate, with Microsoft Entra ID | Managed device fleets, BYOD with compliance | Available |
| RADIUS proxy / eduroam | Forwarded to a remote RADIUS federation | Higher education, roaming federation | Available |
| Identity PSK | Per-group pre-shared key over RADIUS | IoT and device fleets on Cisco | Available |
MAC Authentication Bypass is supported alongside certificate-based groups for devices that cannot run 802.1X.
3. Key functions
Section titled “3. Key functions”- A dedicated RADIUS hostname per service context.
- A per-context shared secret and a RADIUS client allow-list (by IP or CIDR); an empty allow-list denies all clients.
- Attribute Profiles that return network attributes per group, including VLAN assignment (tunnel attributes) and Cisco security group tags.
- Microsoft Entra ID integration for certificate-based 802.1X, with Microsoft Intune device-compliance checks.
- RADIUS proxy to a remote federation, with RadSec available for transport security.
- Optional private connectivity to the network over Service Connector (IPSec), instead of the public internet.
- An authentication log of every RADIUS attempt (outcome, reason, and a step-by-step timeline), plus configuration audit logging and webhooks.
4. Architecture and how it works
Section titled “4. Architecture and how it works”EntryPoint terminates RADIUS in the cloud. A Cisco wireless or wired controller is configured to use the context’s RADIUS hostname and shared secret, and only clients on the allow-list are accepted. On a successful authentication, EntryPoint returns the group’s Attribute Profile so the network applies the correct VLAN and policy. For EAP-TLS, identity and device compliance are validated against Microsoft Entra ID and Intune. For proxy and eduroam, requests are forwarded to the configured upstream federation.
5. Customer requirements and prerequisites
Section titled “5. Customer requirements and prerequisites”| Item | Requirement |
|---|---|
| Network | Network equipment that can act as a RADIUS client (Cisco and other RADIUS-capable vendors) |
| RADIUS reachability | The controller must reach the context RADIUS hostname; RadSec is available where transport must be secured |
| Connectivity | RADIUS over the public internet, or privately over Service Connector (IPSec) |
| RADIUS client config | The per-context shared secret, and the client added to the allow-list (IP or CIDR) |
| Identity (EAP-TLS) | Microsoft Entra ID, and Microsoft Intune where device compliance is required |
| Federation (proxy) | A reachable upstream RADIUS federation |
Network connectivity is summarized in Network Requirements.
6. Integrations and dependencies
Section titled “6. Integrations and dependencies”EntryPoint integrates with RADIUS-capable wireless and wired networks as a RADIUS server, with Microsoft Entra ID and Intune for certificate-based access, and with upstream RADIUS federations for proxy and eduroam. It depends on the customer’s network being able to reach the service over RADIUS, either over the public internet or privately over Service Connector. See Integrations.
7. Roles and responsibilities
Section titled “7. Roles and responsibilities”| Role | Surface | Capabilities |
|---|---|---|
| Organization / EntryPoint administrator | Administration Portal | Configure the context, RADIUS clients, attribute profiles, and groups |
| Group administrator | Self-Service Portal | Manage their own group: members and, for Identity PSK, the group key |
Self-service delegation is available for the EAP-PEAP and Identity PSK variants. Certificate-based and proxy variants are administered centrally. See Roles and Administration Levels.
8. Licensing and activation
Section titled “8. Licensing and activation”EntryPoint is licensed per active endpoint on top of the platform delivery license, with a minimum of 100 endpoints. One license covers 802.1X, MAB, Identity PSK, and RADIUS proxy, with volume tiers as the count grows. The endpoint count runs on a 24-hour cache, so additions and removals settle within a day. Authoritative product codes and terms are on the EntryPoint License page; the model is summarized in Licensing and Service Levels. Licenses are sold through authorized partners.
9. Security, logging, and data protection
Section titled “9. Security, logging, and data protection”Each context is isolated by its own hostname, shared secret, and client allow-list. Every authentication attempt is recorded in the authentication log, and administrative changes are recorded in the configuration audit log with actor, action, and before and after values, with secrets redacted. Transport can be secured with RadSec, or kept off the public internet entirely with Service Connector. Platform-wide protections are described in Security and Data Protection and Logging, Reporting, and Retention.
10. Limitations and exclusions
Section titled “10. Limitations and exclusions”- One context serves one variant; mixing variants requires separate contexts.
- The RADIUS proxy variant forwards to a remote federation and does not hold local identities or offer self-service.
- The minimum license is 100 endpoints.
11. Related services
Section titled “11. Related services”- EasyPSK delivers per-unit Wi-Fi keys for shared-space and residential venues. Its primary delivery, EasyPSK via RADIUS, runs on the EntryPoint engine as the EntryPoint 2.0 (EasyPSK) context and can draw on the same endpoint pool. EntryPoint’s own Identity PSK is for group-based keys organized by device class rather than by unit.
- Endpoint Manager for Cisco ISE delegates endpoint administration in an existing Cisco ISE deployment. EntryPoint is a RADIUS service in its own right, not an administration layer over ISE.
12. When to use, and when not to use
Section titled “12. When to use, and when not to use”Use EntryPoint when you need cloud RADIUS for 802.1X, MAB, Identity PSK, or federation, without operating RADIUS servers yourself. For per-unit residential Wi-Fi keys, start from EasyPSK; its RADIUS variant runs on EntryPoint and can share this endpoint pool. When you already run Cisco ISE for authentication and only need to delegate endpoint administration, use Endpoint Manager instead.