I'm currently working in a network engineering role and looking for some insights on moving from a traditional setup. We use an on-premises NPS for our RADIUS authentication against active directory for 802.1X wireless with PEAP/MS-CHAPv2. As we shift our endpoints to become Microsoft Entra joined (cloud-only), we're considering switching to EAP-TLS to enhance our security by using client certificates instead of passwords. I have some specific questions: How do we go about issuing client certificates for devices that are Entra joined? Is the combination of Intune Certificate Connector with on-premises AD Certificate Services still the best hybrid approach? Lastly, if the goal is to eventually move away from on-premises NPS entirely, what are the current options available for a cloud-first 802.1X RADIUS solution? I'm hoping to hear from anyone who's successfully made this transition!
3 Answers
I still think the on-prem NPS and CA setup is a solid approach right now. However, some hardware vendors are starting to integrate with Azure AD directly for easier authentication, such as Meraki and Fortinet. Devices using Entra can work with an on-prem NPS and CA setup without issues. For a fully cloud-based option, I've used services like Foxpass or JumpCloud as a cloud NPS, but keep in mind they do charge a per-user monthly fee which can add up quickly.
Intune has several pre-configured SCEP certificate partners that connect easily for certificate deployment. We chose SCEPman, and it’s been running smoothly for two years without any issues. I definitely recommend using device-based certificates to allow devices to connect to Wi-Fi before the user logs in. Moving to a cloud-hosted RADIUS setup is definitely the right path if you want to phase out on-prem solutions. RADsec can secure your Wi-Fi RADIUS authentication, though it's trickier for Ethernet since most providers like Fortinet and Meraki don’t support it right now.
We use Intune to deploy SCEPman certificates to our Entra joined devices, and ClearPass serves as our RADIUS server. It’s been a smooth process.
Yes, that's pretty much how we operate too! We still have some older locations using Cisco ISE, but we plan to switch fully to ClearPass by year-end.
Totally agree on SCEPman! It’s really simple to set up and the documentation is solid. However, I'm not fond of SCEPman’s RADIUSaaS since it's not very customizable and I’ve had some delays with support.
Does Fortinet really have Azure AD integration for Wi-Fi authentication? That's good to know!