Certificate-Based 802.1X Authentication with EAP-TLS & Entra ID Lookup

With the recent release of Meraki Access Manager & Cloud PKI, cloud-only organizations have additional options on securing their Wi-Fi. With support for certificate-based 802.1X authentication using EAP-TLS and Entra ID-based device lookup, this combo eliminates the friction of passwords and raises the bar on endpoint trust.

The only catch? The Meraki Access Manager is still in early access, and no general availability date has been announced. For IT teams eager to get ahead of the curve, that means piecing together documentation, release notes, and forums to make it all work.

To save you the time and trial-and-error, our cofounder Gary Greenberg has provided a guide of a validated working configuration that walks you through the full setup—from enabling Access Manager to configuring Intune Cloud PKI for seamless EAP-TLS authentication.

Ready to get your hands dirty? Let’s dive in.

Executive Summary

As enterprise IT teams shift toward zero-trust networking, securing wireless authentication becomes a critical component of the infrastructure. This guide presents a modern, cloud-native approach using Cisco Meraki Access Manager and Microsoft Intune Cloud PKI to implement certificate-based 802.1X EAP-TLS authentication.

The result: stronger security, simplified deployment, and no need for on-prem RADIUS or on-prem PKI infrastructure. While this article focuses on wireless 802.1X authentication, Meraki Access Manager also supports other features like wired 802.1X network access control—a topic we will explore in a follow-up guide (Part 2).

Hypershift has successfully tested and implemented this configuration and can help your organization do the same.

Enterprise wireless authentication is evolving—and organizations using Cisco Meraki and Microsoft Intune now have a sleek, secure path forward. This article explains how to pair Meraki Access Manager (currently in Early Access) with Microsoft Intune Cloud PKI to implement EAP-TLS wireless authentication, eliminating on-prem PKI/RADIUS infrastructure and delivering a seamless certificate-based solution.

Why Move Beyond Pre-Shared Key (PSK) Wi-Fi?

Traditional Wi-Fi deployments rely on a shared password, exposing networks to serious risks. Once that password is compromised—whether by an ex-employee or a malicious actor—your entire network is vulnerable. Changing the PSK disrupts all users and devices.

Enterprise wireless authentication with EAP-TLS solves this by using digital certificates for per-device or per-user authentication. Only devices that are managed, compliant, and have valid certificates can connect, significantly reducing attack surface and administrative overhead.

Meraki Access Manager brings native RADIUS to the cloud

Until now, Meraki relied on external RADIUS servers (typically Microsoft NPS or Cisco ISE) for 802.1X authentication. But with Access Manager, Meraki now offers a cloud-native RADIUS service built directly into the dashboard—no hardware to install, no on-prem server to maintain.

Currently in Early Access, Access Manager lets Meraki-managed environments enable 802.1X authentication from the cloud, optionally integrating with Microsoft Entra ID for identity lookup control. At the time of writing the public beta Meraki Access Manager is free to use, with pricing and licensing details expected to be announced when it reaches general availability.

Key Features:

• Native RADIUS server hosted in Meraki cloud
• Entra ID integration for user lookups
• No on-prem hardware or server maintenance
• No-charge public beta (pricing to be announced)

Microsoft Intune Cloud PKI — Cloud-native certificates and pricing

Many small to midsize organizations have moved away from on-prem PKI due to complexity and maintenance costs. With Intune Cloud PKI, Microsoft offers a managed certificate authority that issues client authentication certificates via SCEP or PKCS—ideal for Intune managed devices.

Cloud PKI removes the need to run your own CA and simplifies certificate deployment:

• Issue root and issuing CAs directly in the Intune admin center.
• Deploy root/issuing certificates and SCEP profiles to devices via Intune.
• Devices automatically receive device/user certificates for authentication.

Cloud PKI pricing at the time of writing:

Tip: While easy to deploy, large enterprises should be aware that costs can scale quickly. For example, 30,000 users could equate to $720,000 per year if using the standalone Cloud PKI license.

How it works: EAP-TLS via Meraki + Intune

A. Authentication flow

1. A client attempts to connect to a Meraki SSID.
2. The MR access point forwards the EAP-TLS request to Meraki Cloud via Access Manager.
3. The client presents its Intune-issued certificate.
4. Access Manager validates the certificate and optionally performs an Entra ID lookup.
5. Access rules (VLAN, group policies, etc.) are applied based on certificate and identity.
6. Network access is granted.

B. Certificate issuance with Intune Cloud PKI

Cloud PKI works by securely issuing certificates to devices using the Simple Certificate Enrollment Protocol (SCEP). The process begins with an admin provisioning Root and Issuing CAs through the Intune Admin Center. When a device checks in (A1), it initiates a certificate request (A2) to the SCEP service.

From there:

• The SCEP service interacts with Cloud PKI services (B2), which validate the request (B3) through the SCEP validation service.
• Once approved, Cloud PKI issues the certificate (A4), which is delivered back to the device (A5).

This flow ensures:

• Certificates are tied to device and user identity.
• Only enrolled, compliant devices receive valid certs.
• Certificate delivery and renewal is fully automated via Intune.

With no need for an on-prem CA or NDES connector, this architecture significantly simplifies secure certificate distribution while maintaining full control through Intune policy.

C. Integration overview

Key benefits of Meraki Access Manager + Intune Cloud PKI

• Cloud-native: No local PKI or on-prem RADIUS servers required
• Strong security: Certificate-based (EAP-TLS) authentication
• Dynamic control: Leverages Entra ID attributes
• Simple management: All config lives in Meraki + Intune dashboards
• Fast deployment: No infrastructure to stand up

Deployment best practices and tips

• Be sure to upload a full certificate chain to Meraki.
• Enable Extended Local Auth for fallback authentication if Meraki cloud is down (not tested).
• Add trusted server names (eap.meraki.com & *.ORGID.radius.meraki.direct) to Intune Wi-Fi profiles to suppress trust prompts
• Make sure to add at least one Intune license (standalone or suite) else pausing or trying to delete the Root CA/Issuing CA results in an error message

Deployment Overview

1. Enable Intune Cloud PKI: build root & issuing CA’s

Figure 1 – Root CA Configuration

Figure 2 – Issuing CA Configuration

2.1. Create Intune profiles:

• Trusted certificate profiles

Figure 1 – Root CA Trusted Certificate Policy

Figure 2 – Issuing CA Trusted Certificate Policy

Figure 3 – Access Manager Trusted Certificate Policy

• SCEP profiles

Figure 4 – SCEP Policy

• Wi-Fi profile configured for EAP-TLS

Figure 5 – Intune Wifi Profile

Tip: Add certificate server names for Access Manager certificates to prevent the trust dialog box from prompting when connecting to the SSID.  See the Intune Wi-Fi profile section for details.

‍
* For detailed instructions on client configuration, follow this link here.

2.2. In Meraki Dashboard:

• Opt into Early Access for Access Manager

Figure 1 – Early Access

• Upload Cloud PKI root and issuing certs

Figure 2 – Access Manager Certificates Section

• Integrate with Entra ID

Figure 3 – Sync Entra ID w/ Meraki

Figure 4 – Permissions needed on Entra ID for integration

For detailed instructions to integrate Entra ID w/ Meraki, follow this link here.

• Create policies in Access Manager based on identity and cert fields

Figure 5 – Access Manager Access Rules

• Configure Meraki SSID to use Access Manager

Figure 6 – Binding Meraki SSID Configuration

3. Endpoint Verification:

• Receive certs and Wi-Fi config automatically via Intune

Figure 1 – Root CA

Figure 2 – Issuing CA

Figure 3 – Client Cert (SCEP enrolled)

Figure 4 – Access Manager Certificate

Figure 5 – WiFi SSID/NIC Settings pushed from Intune

Troubleshooting Tips

• If clients are prompted with trust warnings, confirm that trusted/certificate servers are added to the Wi-Fi profile.
• If certificate enrollment fails, check SCEP settings, client machine event viewer and device compliance.
• Root & Issuing CA’s should have extended-key usage (Client Authentication)
• SCEP certificate should have extended-key usage (Client Authentication)
• Confirm all four certificates on client are present before connecting to Wi-Fi

Why Hypershift?

Hypershift specializes in helping IT teams adopt cloud-first, secure networking solutions. We've designed and tested this Meraki + Intune PKI integration and can guide your team from design to deployment.

Our Services Include:

• Cloud PKI setup and configuration
• Wi-Fi and certificate profile creation
• Meraki + Entra ID integration
• Policy mapping and testing
• End-to-end deployment support

Get in touch: https://hypershift.com/contact

Enterprise wireless security doesn't have to be complex. With Meraki Access Manager and Microsoft Intune Cloud PKI, you can deploy a scalable, cloud-native solution that improves security and simplifies management. Ready to modernize your network?

Hypershift is here to help.