Service · EntryPoint · RADIUS-as-a-Service

Authenticated network access
without running RADIUS yourself.

EntryPoint is Netgraph's RADIUS-as-a-Service. Enterprise Wi-Fi, wired networks and upstream proxy, secured by 802.1X, certificates, identity PSK or MAB, delivered as a cloud service that scales with your organization. No appliances. No patches. No 3 AM pages.

Methods EAP-PEAP · EAP-TLS · iPSK · MAB · Radius Proxy
Identity Local · Microsoft Entra ID
Compliance Intune Device Compliance Check
Transport RadSec (TLS) · IPSec via Connector
At a glance

One service. Five variants. Every identity.

5
Variants
PEAP · TLS+Entra · iPSK · Proxy · EasyPSK
0
RADIUS servers to run
Cloud-delivered, you don't patch
1
Group per audience
Delegated lead, scoped Self-Service
MACs in MAB list
Per Dot1x Group · CSV-bulk on iPSK
The model

One Context. One variant. One identity.
Repeat as needed.

Every EntryPoint deployment starts the same way: pick a variant in the Create RADIUSaaS Context wizard. The Context becomes its own isolated RADIUS process with separate ports for RADIUS Auth, RADIUS Accounting and RadSec, a per-Context shared secret, and an IP allow-list you control. Inside the Context you create Groups (one per identity or device class), each with its own Attribute Profile and, where it fits, its own delegated lead.

Most organizations end up running more than one Context: a Dot1x Context for staff and contractors, an iPSK Context for IoT, a Radius Proxy Context for eduroam. Same hostname, separate ports, separate processes. The wizard makes that fast.

Pick the right method per audience

Five variants.
One platform.

Most organizations run more than one. Pick per audience, not per company.

01 · EAP-PEAP

Username & password 802.1X

Per-audience Groups, delegated Self-Service

Audiences whose devices speak PEAP but where issuing a certificate isn't worth it: employees, contractor firms, vendor teams, event cohorts, students. Each audience gets its own Group; the audience's lead invites their own people via the Self-Service portal. IT stays out of per-user churn.

  • Auto-generated Personal PEAP Account per user.
  • Per-OS setup guides (macOS · Windows · iOS · Android · ChromeOS).
  • Self-Service password rotation — admins never see passwords.
  • Local store or Microsoft Entra ID as identity backend.
02 · EAP-TLS

Certificate-based 802.1X for managed fleets.

Validate against EntryPoint's trust list or Microsoft Entra ID.

Certificate-based 802.1X for managed corporate devices. EntryPoint validates the certificate at every auth — either against its own trust list (self-contained, no external identity provider) or against Microsoft Entra ID (mirror your Entra group structure, optional Intune Device Compliance Check on every auth). No passwords on the wire. Your PKI issues the certs; your MDM (typically Intune) distributes them to the devices.

  • Validate against EntryPoint's trust list, or mirror Microsoft Entra ID groups
  • User-cert and device-cert Groups in either backend
  • Optional Intune Device Compliance Check via Microsoft Graph (Entra path)
  • EntryPoint validates only. Your PKI issues the certs; your MDM (Intune or other) distributes them.
03 · iPSK for Cisco Networks

Cisco Identity PSK. One key per fleet.

Distributed administration for Cisco WLAN IoT fleets.

Identity PSK as a RADIUS service for Cisco WLAN. Each EntryPoint Group holds one shared PSK and the MAC addresses of every device in that Group. Each fleet (robot cleaners, digital signage, smart locks, lab sensors) has its own Group and its own delegated PSK Administrator from the team that owns the fleet.

  • One Group per device class. Own PSK, own admin.
  • Self-Service for PSK rotation, device add/remove, bulk CSV import.
  • Per-Group Attribute Profile returns VLAN / SGT on every auth.
  • Cisco Catalyst 9800 + Meraki (with iPSK-via-RADIUS).
04 · Radius Proxy

Proxy auth to an upstream RADIUS.

Forward RADIUS to where the identities live.

Forward RADIUS authentication and accounting to a remote upstream server. EntryPoint applies one Attribute Profile to every authenticated user via the Default Device Group. Common use cases: eduroam (forward to a national federation tier for universities), franchise networks (forward to the parent organization's RADIUS), and consolidated identity (one shared RADIUS for many sites). Optional RadSec (RADIUS over TLS) for encrypted transport.

  • Forward Authentication and Accounting to any upstream RADIUS.
  • Common use cases: eduroam, franchise / partner networks, consolidated identity.
  • RadSec (RADIUS over TLS) supported for encrypted transport.
  • Single Default Device Group with Attribute Profile per visitor.
05 · EasyPSK via RADIUS

Per-unit Wi-Fi keys for shared spaces.

The EntryPoint 2.0 (EasyPSK) context: one key per home, room, or desk.

Private per-user Wi-Fi for residential and shared-space venues: co-living, student housing, hospitality, co-working. Each Unit is a group of up to 30 devices with its own key and its own isolated network on one shared SSID, and residents onboard themselves. Delivered as an EntryPoint context, so it draws on the same endpoint pool as the other variants. The full product story lives on the EasyPSK page.

  • Per-Unit key, up to 30 devices per Unit, isolated from neighbours.
  • Three security flavours per group: Instant, Approved, Dedicated.
  • Self-Service onboarding via QR or portal, delegated per property.
  • Cisco Meraki and Catalyst 9800, served over RADIUS.
BYOD onboarding

Personal PEAP Account
issued the moment you sign in.

A user accepts the Self-Service invitation and lands on the portal. Their auto-generated Personal PEAP Account is right there. Username, password, per-OS setup guides for every device they own, and the list of devices currently authenticated with that account.

IT never sees the password. The user can rotate it themselves. The Group lead invited them. The audit trail covers everything.

selfservice.netgraph.cloud
Group · Acme Consulting · 802.1X-PEAP
Your Credentials
User · Group Administrator
Username
erika.lindberg@acme.com
Password
●●●●●●●●●●●●
Account Management
Setup Instructions
macOS · Windows · iPhone · Android · ChromeOS
Change Password
Rotate · takes effect on next auth
Connected Devices
3 active · iPhone, MacBook, iPad
Group Users
Group Administrator only
Headless gear

MAB lives inside every Dot1x Group.

Printers, VoIP phones, BMS panels — the gear that can't run a supplicant. Every Dot1x Group carries a MAB Device List tab; listed MAC addresses authenticate by MAC and inherit the same Attribute Profile as the 802.1X-authenticated devices in the same Group. One audit trail, one VLAN, no second tier of policy.

  • Printers, VoIP phones and BMS panels alongside 802.1X laptops
  • Sensors, barcode scanners, badge readers — anything without a supplicant
  • Same Attribute Profile as the Group — one VLAN, one audit trail
  • Bulk-add by CSV, retire on EOL, audit on every change
Group · Factory Workstations
Members MAB Device List Attribute Profile
🖨 F4:CE:46:1A:80:7B HP-LaserJet-Floor-3
📞 00:25:84:EA:11:F2 Cisco-IPPhone-Conf-A
📡 A4:CF:12:09:88:4D HVAC-Controller-3F
All inherit the Group's VLAN 220 — Manufacturing Attribute Profile.
Built into every Context

The cloud-RADIUS ergonomics you'd build yourself if you had a year.

01

Context per variant

One Context = one isolated RADIUS process, one wizard-picked variant, one audience family. Most Organizations run several: Dot1x for staff and contractors, iPSK for IoT, Proxy for eduroam.

02

Dedicated ports per Context

Every Context shares the platform hostname but gets its own dedicated ports for RADIUS Auth, RADIUS Accounting and RadSec, backed by a per-Context shared secret and IP allow-list you control.

03

Attribute Profiles

Named bundles of RADIUS return attributes (VLAN, Cisco SGT, tunnel attributes), defined once per Context and attached to many Groups. The cleanest way to drive policy from auth.

04

MAB inside every Dot1x Group

MAC Authentication Bypass appears as a tab on every Dot1x Group. Printers and headless gear inherit the Group's Attribute Profile alongside the 802.1X-authenticated devices.

05

Audit log + webhooks

Every configuration change is audited at Organization or Context scope. Webhooks fire entrypoint.configuration.audit so you can mirror changes into your SIEM or change-management pipeline.

06

Cisco-native attributes

Push Cisco AV-pairs, Security Group Tags and standard tunnel attributes natively. Works with Catalyst 9800, Meraki MR/MX, and any RADIUS-speaking switch.

Roles & delegation

Group-level administration that gives IT its weekends back.

Across four of the five variants, day-to-day work is delegated to the people who actually own each fleet, without giving anyone admin access to the platform itself.

Organization administrator
Whole Organization · all Contexts

Creates the EntryPoint Context (one variant per Context), attaches network equipment, creates Groups, invites the lead per Group, reviews audit logs and webhooks.

Group Administrator
One Group

Lead of the audience or fleet. Invites and revokes their own people from the Self-Service portal. Sees the Group's Connected Devices. Never logs in to the admin dashboard.

PSK Administrator (iPSK)
One iPSK Group

Rotates the Group's shared Pre-Shared Key. Combined with default User role, also manages the device list. Used by vendor or internal IoT-fleet operators.

User (default)
Their own credentials in one Group

Sees their Personal PEAP Account, copies or rotates the password, reads per-OS setup instructions, reviews their own Connected Devices. iPSK users add/remove the devices in their Group.

Not the right tool

EntryPoint is what it is. And not these.

Captive-portal guest Wi-Fi

Short-stay visitors who self-provision by email or SMS — that's Sign In, not EntryPoint.

Per-unit residential Wi-Fi keys

One home, one PSK, residents self-serve: that's EasyPSK, which runs on the EntryPoint engine as the EntryPoint 2.0 (EasyPSK) context. Start from EasyPSK for that shape.

Day-to-day ISE endpoint admin

Delegated MAC-by-MAC administration of an existing Cisco ISE — that's Endpoint Manager.

Certificate issuance

EntryPoint validates certificates. Your corporate PKI (AD CS, SCEP, Intune connector) issues them.

Need a captive portal? See Sign In. Per-unit PSK on Cisco networks? See EasyPSK. ISE delegation? See Endpoint Manager.
Enterprise Wi-Fi · Wired · Federated roaming

Stop running RADIUS. Start using it.

If you're still patching FreeRADIUS or licensing a hardware appliance for what could be a cloud service, EntryPoint is built for you. 30-minute demo, and some slides.

Book a demoRead the docs