View Categories

Requirements & Dependencies

EntryPoint RADIUSaaS provides a cloud-based authentication service designed to enhance network security using 802.1X authentication methods, such as EAP-TLS and EAP-PEAP. To ensure seamless deployment and operation, the following system requirements and dependencies must be met.

#
Entra ID Integration Requirements #

To integrate EntryPoint RADIUSaaS with Microsoft Entra ID (formerly Azure AD) as the backend identity provider, the following requirements must be met:

An Application Registration in Microsoft Entra ID is Required: #

  • A new App Registration must be created in Microsoft Entra ID (Azure AD).

  • The following details must be provided in the EntryPoint portal:

    • Directory (Tenant) ID

    • Application (Client) ID

    • Client Secret (generated during app registration)

Required API Permissions in Microsoft Entra ID: #

  • The registered application must have the following API permissions granted:

    • Group.Read.All → To retrieve user group memberships.

    • User.Read.All → To access user identity information.

  • Admin Consent must be granted for these permissions.

Device Compliance Check (Optional but Recommended): #

  • If device compliance enforcement is required, Microsoft Intune must be used to enforce compliance before granting access.

  • Devices must meet security requirements before they are authenticated via EntryPoint.

CA Certificate Requirements EAP-TLS #

For EAP-TLS (certificate-based authentication), the following certificate requirements must be met:

A Public Key Infrastructure (PKI) or Certificates from a CA Are Required: #

  • Customers must issue certificates from either:

    • An internal Microsoft PKI (Active Directory Certificate Services)

    • An external CA (e.g., DigiCert, Sectigo, GoDaddy)

  • All certificates must comply with 802.1X authentication standards.

Trusted Certificate Authorities (CAs) Must Be Uploaded to EntryPoint: #

  • The following CA certificates must be uploaded to the EntryPoint portal under EAP-TLS settings:

    • Root CA Certificate

    • Issuing CA Certificate

  • The certificate chain must be valid and trusted across all devices.

  • All uploaded certificates must be in PEM format (.pem, Base64 encoded).

A Certificate Revocation List (CRL) URL Must Be Provided: #

  • A CRL URL must be specified to verify the validity of client certificates.

  • Example format: http://primary-cdn.pki.azure.net/.../current.crl

  • Client devices and RADIUS servers must have access to this CRL endpoint.

Client Certificates Must Be Deployed to User Devices: #

  • Certificates must be distributed using Microsoft Intune, Group Policy, or an MDM solution to all managed devices.

  • Client devices must match the authentication policies configured in EntryPoint.

RADIUS Server Certificate Requirements EAP-TLS & EAP-PEAP #

The RADIUS Server Certificate is essential for encrypting communication between clients and the RADIUS server. Customers must choose one of the following options:

Option 1: Bring Your Own Certificate (BYOC) #
A RADIUS Server Certificate Must Be Uploaded to EntryPoint: #

  • Customers must provide a certificate issued by:

    • A public CA (e.g., GoDaddy, DigiCert, Sectigo)

    • A private/internal CA (e.g., an organization’s PKI)

The Certificate Must Meet the Following Format Requirements: #

  • All RADIUS Server certificates must be in PEM format (.pem, Base64 encoded).

  • The certificate chain (Root CA, Issuing CA, and Server Certificate) must be included in the uploaded file.

Client Devices Must Trust the Uploaded Certificate: #

  • The Root CA and Issuing CA must be trusted by all client devices.

  • Organizations must distribute these certificates using Microsoft Intune, Group Policy, or manual provisioning.

Option 2: Use the Built-in RADIUS Certificate (Optional) #
Customers May Use the Built-in RADIUS Server Certificate Provided by EntryPoint: #

  • This eliminates the need to upload a custom certificate.

  • The built-in certificate is automatically managed by EntryPoint.

  • Client devices must trust the EntryPoint RADIUS server for authentication to work.

TLS 1.2 Is Required for Secure Communication: #

  • Only TLS 1.2 is supported for RADIUS authentication.

  • Older TLS versions (TLS 1.1, TLS 1.0) are not supported due to security risks.

  • TLS 1.3 is not supported.
RadSec (RADIUS over TLS) Requirements #

For secure RADIUS communication over RadSec, the following requirements must be met:

RadSec Must Be Enabled in the EntryPoint Portal: #

  • The RadSec option must be turned on under RADIUS Server Settings.

A Valid RadSec Server Certificate Must Be Provided: #

  • Customers must upload a valid server certificate from a trusted CA (e.g., Cisco Meraki).

RadSec Certificates Must Be in PEM Format: #

  • All RadSec certificates must be in PEM format (.pem, Base64 encoded).

RadSec Must Be Supported on Network Devices: #

  • Wi-Fi Access Points (APs) and switches must support RadSec.

  • APs must be configured to use EntryPoint as the RadSec RADIUS server.

  • The trusted RadSec certificate must be uploaded to the network controller/dashboard (e.g., Cisco Meraki Dashboard).

Network Access Requirements #

For EntryPoint RADIUSaaS to function, customers must ensure network access is open for RADIUS traffic and, if applicable, RadSec (RADIUS over TLS).

Required Standard RADIUS Ports (UDP)

Optional RadSec Ports (TCP) for Encrypted RADIUS Traffic

Firewall Rules Must Allow EntryPoint Servers

  • Network firewalls must allow traffic on the required ports.

  • APs, switches, and other RADIUS clients must be able to reach EntryPoint RADIUS servers

Summary of Customer Responsibilities #

Configuration Area

Customer Requirements

Identity Provider Integration

Entra ID registration, API credentials, permissions, and optional device compliance enforcement.

Certificate Requirements

PKI or CA-issued certificates, CRL validation, and deployment of trusted CA certificates.

RADIUS Server Certificate

Upload a BYOC certificate or use the built-in EntryPoint certificate.

RadSec (RADIUS over TLS)

Enable RadSec, provide a valid RadSec certificate, ensure network device compatibility.

TLS Version Requirement

Only TLS 1.2 is supported for EAP-TLS authentication and RadSec communications.

Network Access.                       

Open required RADIUS and optional RadSec ports.

Firewall Rules.                            

Ensure APs and switches can communicate with EntryPoint RADIUS servers.

Message-Authenticator                            

All RADIUS clients (e.g., wireless controllers, switches, VPN gateways) must include a valid Message-Authenticator attribute in authentication requests. Clients that omit this field or send it incorrectly will be rejected by EntryPoint RADIUS services.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.