View Categories

Configuration and Monitoring Guide

Introduction to RADIUS Service for 802.1X Authentication #

EntryPoint 2.0 enables flexible and secure network authentication based on the 802.1X standard.
By integrating with Microsoft Entra ID (Azure AD), it supports both password-based (PEAP) and certificate-based (TLS) authentication methods.
This guide walks you through how to configure EntryPoint 2.0 from scratch – including creating contexts, groups, users, and Radius integration.

Getting Started #

🔧 Step 1: Create a New 802.1X Authentication Context #

To begin, navigate to the EntryPoint service within Netgraph.
Click Create and choose the context type EntryPoint 2.0 (802.1X Authentication with Entra ID).

Provide a name and a description for the new context that clearly indicate its purpose, for example, “Netgraph 1x Corporate Network” or “Secure Staff Access”.

Creating a specific context ensures that authentication policies, methods, users, and monitoring are properly scoped for your 802.1X environment, without interfering with other authentication services such as Guest Wi-Fi, IoT networks, or Radius Proxies.

🛠️ Step 2: Configure 802.1X Authentication Methods #

Inside your new Context, choose which authentication methods to activate:

802.1X PEAP (Protected EAP) #

  • What it is: Username and password authentication inside a secure TLS tunnel.

  • Use case: End-users authenticate against Entra ID credentials or Self-Service PEAP accounts.

  • How it works:
    Device connects to network, user enters credentials, system validates securely.

 

802.1X TLS (Certificate-Based Authentication) #

  • What it is: Device authentication using client certificates (X.509).

  • Use case: Corporate managed devices like laptops, smartphones, or IoT systems.

  • How it works:
    Device automatically presents a trusted certificate during connection, without user interaction.

EntryPoint 2.0 supports two models for EAP-TLS integration:

Option 1: EAP-TLS with Entra ID / Intune Integration (Recommended) #

  • Devices are registered and managed via Microsoft Entra ID and Microsoft Intune.

  • Certificate validation occurs dynamically against Entra device identity and compliance status.

  • Enables conditional access and dynamic network policies based on device health.

  • Ideal for full Zero Trust network access control in enterprise environments.

🔒 Strongly recommended for fully managed corporate environments aiming for enhanced compliance and security.

Option 2: EAP-TLS with Uploaded Machine Certificates (Local Validation) #

  • Devices are authenticated based on certificates uploaded manually into EntryPoint’s portal.

  • No live backend communication with Entra ID or Intune is required during authentication.

  • Suitable for:

    • IoT devices

    • Legacy systems

    • Non-managed equipment

🛠️ Useful for hybrid environments or where cloud device management is not feasible.

Summary:
EntryPoint 2.0 offers the flexibility to validate certificates either via Microsoft cloud services or through local management, depending on your deployment needs.

Tip: Use TLS for managed devices and PEAP for BYOD or non-managed users.

🧩 Step 3: Create Groups and Assign Authentication Methods #

Create Groups inside the Context:

  • Choose Authentication Type: PEAP, TLS, or both.

  • Set Attribute Profiles (optional).

  • Enable Self-Service Enrollment if needed.

Examples include separate groups for Employees, Guests, and Contractors based on authentication needs.

👥 Step 4: Adding and Managing Users #

EntryPoint offers flexible ways to onboard and manage users based on your authentication method.

Self-Service Enrollment (For PEAP Authentication) #

Self-Service Enrollment is primarily intended for environments using PEAP (Protected EAP) authentication, where users authenticate with a username and password.

When Self-Service is enabled for a group:

  • Users can register themselves via the Self-Service Portal.

  • Upon registration, users are automatically:

    • Added to the selected group.

    • Issued a Personal PEAP account for network authentication.

  • Optionally, enrollment can be restricted based on email domain (e.g., only users with “@company.com” emails).

This approach significantly reduces administrative overhead by allowing users to onboard themselves securely.

⚠️ Self-Service enrollment is only relevant for PEAP-based access.
Devices using EAP-TLS authentication typically rely on certificate enrollment and are not managed through Self-Service.

Manual User Management #

Administrators can also manually manage users for greater control and flexibility.

When manually adding a user:

  • The administrator fills in the user’s details (name, email, group assignment).

  • An invitation email is automatically sent to the user’s provided email address.

  • The user can follow the link in the email to:

    • Access their Self-Service Portal.

    • View and manage their password (if using PEAP).

Manual user creation is particularly useful for:

  • VIP users or executives.

  • Staff without access to standard enrollment processes.

  • Devices/users that require pre-staging before network access.

Managing Existing Users #

Administrators can:

  • View a user’s profile including group, PEAP account status, and devices.

  • Edit user attributes (e.g., change role, move to another group).

  • Re-send invitation emails if necessary.

  • Deactivate or delete users to revoke network access immediately.

This provides comprehensive lifecycle management for network users across all authentication models.

 

🌐 Step 5: Network Integration #

In the Network Integration section, you configure how EntryPoint connects to your local network environment:

  • Specify internal ports for authentication, accounting, and RadSec.

  • Configure the Client Secret that local devices will use when sending RADIUS requests to your EntryPoint instance.

  • Upload necessary certificates to support RadSec internally for encrypted RADIUS communication.

  • Optionally, limit access to specific IP address ranges to control which devices or networks are permitted to interact with your EntryPoint server.

This setup ensures that your local Wi-Fi or wired infrastructure can securely and reliably use EntryPoint as a RADIUS server or proxy.

🔒 Step 6: Enable RadSec (Optional) #

RadSec (RADIUS over TLS) is an important feature for enhancing security, especially over public or semi-trusted networks.

If the remote server supports RadSec, you can enable it by toggling the option and providing the necessary certificates:

  • Trusted CA certificates to validate the remote server’s identity.

  • Optional client certificates if mutual authentication is required.

Using RadSec not only encrypts authentication traffic but also provides strong server identity verification, preventing man-in-the-middle attacks.

⚙️ Step 7: Add Attribute Profiles #

Attribute Profiles allow EntryPoint to dynamically inject RADIUS attributes into authentication responses based on group membership or device type.

When creating an Attribute Profile:

  • Name the Profile Clearly (e.g., “Employee VLAN 30 Assignment” or “Consultant Limited Access”).

  • Choose the Appropriate Attribute Type:

    • Tunnel-Type

    • Tunnel-Medium-Type

    • Tunnel-Private-Group-ID

    • Cisco-AVPair

  • Define the Attribute Value (e.g., VLAN ID, session timeout, SGT value).

 

Why Attribute Profiles Matter:

  • Simplify dynamic VLAN assignment.

  • Enforce differentiated network policies.

  • Support segmentation and security control based on authentication results.

 

📊 Monitoring and Statistics #

EntryPoint 2.0 provides powerful real-time monitoring and detailed insights into device authentication activity and network utilization.
This helps administrators stay proactive, troubleshoot faster, and optimize network policies based on live data.

🔢 Overview Statistics #

The EntryPoint dashboard provides a high-level overview of your 802.1X authentication environment, including:

  • Number of Configured Groups: Displays how many groups exist under your Context (e.g., Employees, Guests, IoT).

  • Total Registered Devices: The number of devices that have completed the enrollment and authentication process.

  • Online Devices: How many devices are actively authenticated and connected at any given time.

This overview allows you to quickly monitor system load, identify trends in usage, and spot any anomalies (e.g., sudden drops in online devices).

📈 Detailed Usage #

Through the Usage section, you can access in-depth analytics:

  • Device Registration Trends:
    See how the number of registered devices evolves over different timeframes (today, week, month, year).

  • Online Activity Trends:
    Visualize how many devices are connected over time to understand peak usage periods.

  • Device-Level Drill-Downs:
    For each device you can view:

    • MAC Address
    • Associated User
    • Associated Group
    • Connected IP Address
    • Network device connection (AP, Switch)
    • Network Traffic (Upload / Download)
    • First Seen Timestamp
    • Last Seen Timestamp

These detailed statistics are essential for:

  • Troubleshooting device-specific authentication issues.

  • Identifying inactive or suspicious devices.

  • Understanding user and device behavior patterns across the network.

⚙️ Context Management #

Under the Context Configuration section, administrators can update and maintain key settings:

  • Edit Context Name and Description:
    Keep your documentation up-to-date and organized.

  • Manage RADIUS Secrets:
    Rotate secrets regularly to improve security.

  • Modify Authentication and Accounting Settings:
    Adjust ports and protocols if network topology changes.

  • Configure RadSec Settings:
    Update or replace certificates and trusted CA lists for secure RADIUS communication.

This flexibility ensures that your EntryPoint environment can easily adapt to evolving organizational and security requirements without disrupting ongoing network authentication.

🧾 Summary #

EntryPoint 2.0 provides a comprehensive solution for 802.1X network authentication by integrating PEAP and TLS methods with Microsoft Entra ID.
Administrators can easily set up secure authentication contexts, assign flexible group policies, onboard users through Self-Service or manual provisioning, and monitor authentication activity in real-time.

With support for advanced options like RadSec, dynamic attribute injection, and multiple EAP-TLS validation models (Entra or local certificates), EntryPoint 2.0 delivers a scalable, secure, and highly adaptable authentication platform for both wired and wireless environments.

By leveraging EntryPoint’s real-time monitoring, administrators can ensure efficient network operation, enhanced security compliance, and excellent user experience.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.