Solution area · Corporate & Business

One platform.
Every identity your network has to serve.

Modern businesses don't have one access problem. They have four. Employees on managed laptops. BYOD on personal phones. Visitors arriving for a meeting. Apple TVs in conference rooms.

Netgraph delivers the right method per audience, and delegates day-to-day work to the people who actually own each fleet. And nobody outside IT needs a platform login.

Audiences Employees · BYOD · Guests · IoT
Methods 802.1X · SAML · iPSK
Identity Microsoft Entra ID · local · self-service
Operations Delegated · audited
The model

Four audiences. Four flows.
Four owners. None of them IT.

IT defines the policy template once: VLANs, Attribute Profiles, Compliance Check thresholds. After that, the day-to-day shrinks to group-level work that lives where it belongs. HR offboards in Entra and the network follows. A reception manager invites the next visitor. Facility manager whitelists the new meeting-room display. The vendor that installed the badge readers rotates the PSK on their fleet.

IT keeps the bigger picture. Every Self-Service action is audited and scoped to one Group. Compliance gets identity-bound exports per period. Help-desk volume drops in proportion to how many audiences you delegate.

Pick the right method per audience

Four flows.
Different audiences, different methods.

Most modern businesses end up using all four. Pick per audience, not per company.

01 · Employees

Wi-Fi that follows your Entra groups.

Onboard once. Group lives in Entra. Cert renewed via Intune.

Employees on managed laptops authenticate with a per-user or per-device certificate. EntryPoint validates the cert against the corporate PKI and matches the bearer to a Microsoft Entra ID group. Add someone to the Entra group, they're on the Wi-Fi. Remove them, they're off on the next auth.

  • EAP-TLS on managed devices. No passwords on the wire.
  • Groups mirror Microsoft Entra ID groups.
  • Optional Intune Device Compliance Check at the RADIUS layer.
  • MAB fallback inside the same Group for headless gear.
Built on EntryPoint Read more →
02 · BYOD

BYOD on the identities employees already have.

Two paths. Same audience. Pick what your environment supports.

Personal phones, contractor laptops, hot-desking devices that can't carry an MDM cert. The BYOD audience the corporate network still has to serve. Two patterns work in production: a Sign In captive portal (lowest friction, no on-device profile) or an EntryPoint Personal PEAP account (true 802.1X, identity on the wire).

Path A
Captive portal. Corporate identity, zero hardware.
  • BYOD-SAML: "Sign in with Microsoft / Google / Okta" using the same MFA-protected login your staff already use.
  • Email Self-Provisioning: the @acme.com domain maps to its own access policy on the captive portal. Only verified employees get on.
  • Per-policy device quota and session length, self-service to free a slot.
  • Auto-deauth when HR offboards via the IdP.
Path B EntryPoint
Personal PEAP. Real 802.1X without a cert rollout.
  • Per-user, per-Group EAP-PEAP credential. Username is the user's email, password auto-generated on first Self-Service visit.
  • Employee opens the Self-Service portal, copies username + password, follows per-OS setup instructions.
  • Admins can revoke a credential or device. They can never see the password.
  • User rotates their own password; new credential takes effect on next auth.
Read more about EntryPoint →
Built on EntryPoint
03 · Guests & visitors

Visitor Wi-Fi without the front-desk bottleneck.

Sponsored, self-served, or one-tap. Pick per scenario.

Reception is the wrong place to run guest Wi-Fi. Each employee hosts their own visitors with one-click email approval. Larger groups self-onboard with an event ID. Casual visitors verify by email or phone. Four flows, one platform, every session attributed and traceable.

  • Meeting Host. One-click email approval per visitor.
  • Conference & Group ID. Hundreds onboard in parallel.
  • Self-provision via email or SMS, with verified identity.
  • Click-to-Connect. One-tap branded landing for known visitors.
Built on Read more →
04 · Enterprise IoT

For the gear that can't fill in a form.

Conference rooms, AV, sensors, printers, badge readers.

Apple TVs in conference rooms. Printers behind switchports. Smart-building sensors and badge readers. Sign In's Self-Service portal lets the team that owns each fleet whitelist their own devices. EntryPoint runs Identity PSK per Group. Endpoint Manager delegates ISE group administration without giving anyone an ISE login.

  • Sign In Whitelisting. Staff onboard their own screenless devices.
  • EntryPoint iPSK. Per-Group shared PSK for Cisco IoT fleets.
  • EntryPoint MAB inside Dot1x Groups. Printers on the same VLAN.
  • Endpoint Manager. Delegated administration of Cisco ISE groups.
Built on EntryPointEndpoint Manager Read more →
Delegated administration

IT runs the platform.
Each audience runs itself.

The biggest operational win isn't a feature. It's the org chart. Sign In, EntryPoint and Endpoint Manager all expose Self-Service portals scoped to one Group. Audience leads invite their own people. Vendors manage their own MACs. Facility managers add their own Apple TVs. IT stops being the bottleneck.

Who does what
  • Central IT Platform · Contexts · policy templates · audit
  • HR / IdP team Entra group lifecycle · onboarding · offboarding
  • Audience leads Their own audience: employees, contractors, vendors
  • Reception Out of the loop. Visitors handle themselves.
  • Facility / AV Their own IoT fleet via Self-Service Whitelisting
  • Vendors Their own iPSK Group · their own PSK · their own MACs
The platform

Four modules. One platform. Use what you need.

Corporate · employees · BYOD · IoT · guests

Stop running guest Wi-Fi from the front desk

Or any of the other three audience problems modern networks have. Talk to us about a 30-minute demo, and some slides.

Book a demoTour the platform