A month ago, we covered using NPS with Cloud PKI to deliver user authentication for Wi-Fi via certificates. Today, we are going to discuss leveraging a cloud RADIUS product called RADIUSaaS to deliver device authentication for EAP-TLS. Some of the things we will cover are:

• Introduction to RADIUSaaS
  • Username and Password Support on RADIUSaaS
  • MAC authentication on RADIUSaaS
• Integrating RADIUSaaS with Microsoft Cloud PKI
• What is RadSec?
• Integrating Cisco Meraki with RADIUSaaS via RadSec
• Setting up the Policies in Microsoft Intune
• Final Thoughts

Introduction to RADIUSaaS

I am no stranger to the fine people at glueckkanja who created SCEPman, which I wrote about previously. One of the main differences with RADIUSaaS is that you don’t need to host it. The platform is entirely cloud hosted, which was a pleasant surprise.

RADIUSaaS is a bridge between your clients (Windows devices) and your wireless infrastructure. It will perform authentication leveraging the RADIUS protocol. You can see a basic graph below:

RADIUSaaS is a RadSec first platform (more on RadSec) later, which really makes managing RADIUS incredibly easy. From an admin perspective, you have a few components:

• The RADIUSaaS admin portal, which they will stand up for you.
• RADIUSaaS also offers a proxy that bridges RadSec to a regular RADIUS over UDP for environments that cannot support RadSec.

In addition to standard certificate-based authentication, you can also handle a few other interesting methods, which we will discuss below.

Username and Password Support on RADIUSaaS

You can leverage username/password on RADIUSaaS, but it doesn’t integrate with an identity store. We might see this for guest access, BYOD, or legacy devices that cannot do 802.1x.

They support the following protocols:

• EAP-TTLS-PAP
• EAP-TTLS-MSCHAPv2
• PEAP-MSCHAPv2

You basically, create the user and can even schedule out the expiration as you can see below:

MAC Authentication on RADIUSaaS

RADIUSaaS supports MAC-based authentication (MBA), where the MAC address of the device is used in place of the username and password during the authentication phase. You can see below what the flow looks like:

You basically configure username and password as the MAC address like you can see below. It’s not recommended, but I like to point out that they support it, which is sort of fun:

Integrating RADIUSaaS with Microsoft Cloud PKI

Overall, the setup process for RADIUSaaS is pretty simple. You just download your root and intermediate certificates from Tenant Administration > Cloud PKI and upload them into RADIUSaaS’ trusted certificate section as client authentication certificates.

Once you finish that, you grab the the RadSec certificate from “Server Settings”

Check out my video demo below which can help you get that all done in under 5 minutes. Honestly, really happy with how simple and clean the UI is, which makes it easier:

What is RadSec?

Most Microsoft people, who are coming from NPS are likely not too familiar with RadSec.

Many of us are used to RADIUS, where traffic is going over UDP ports (commonly UDP/1812 or 1813). The data essentially travels over plain text and isn’t exactly what you would consider to be secure.

RadSec aka RADIUS over TLS uses an 802.1x protocol to send RADIUS packets over TCP and TLS, which helps you deliver it over insecure networks. So.. YAY SECURITY!

The main key is that you need to be able to support RadSec on your equipment. One of the really neat things that RADIUSaaS provides is the ability to deliver up to 2 UDP proxies (in a variety of regions) to bridge equipment that cannot support RadSec:

Integrating Cisco Meraki with RADIUSaaS via RadSec

The great news with Meraki is they support RadSec, which makes life a bit simpler.

Basically, when they bring up your RADIUSaaS instance, it will have a listener on port 2083 for RadSec. You can then leverage the hostname OR IP address and the port when configuring the RADIUS server on your Meraki.

One thing that I did run into is that it requires TLS 1.2. You will see in the video below, I found really amazing logging on RADIUSaaS that showed me an issue on TLS 1.3:

Mon Mar 17 00:51:37 2025 : ERROR: (0) ERROR: (TLS) RADIUS/TLS - Alert read:fatal:bad record mac

I identified that was an issue with TLS 1.3, but not a huge deal. I was also very excited to see they use my old friend ElasticSearch for their logging, which makes the logging stuff overall very exciting. Anyways at a high level, you just:

• Configure the RADIUS server with a secret of “radsec” (I do wish you could change the secret)
• Run a test connection with a user account you create
• Set it to use TLS 1.2 inside of RADIUSaaS
• Configure best practice settings for EAP
• Upload certs and download the RadSec certificate

Overall, once again very easy to do, and the video will show you quickly how to work with it:

Setting up the Policies in Microsoft Intune

First, let’s see what you need overall for this to work:

• Cloud PKI Root and Issuing CA Certificates
• Root CA certificate for your RADIUS server
• SCEP Policy (you can see that example below)
• Wi-Fi Policy

The trusted certificates are pretty straightforward, and you can see them in the video demo below (that will be coming soon but Cloud PKI is having some infrastructure issues today).

The SCEP policy below, basically has a few key things:

• Subject Name: CN={{DeviceName}}
• SAN with URI and value of IntuneDeviceId://{{DeviceId}}
• KSP is “Enroll to TPM KSP if present, otherwise Software KSP
• Key Usage to Digital Signature and Key Encipherment
• 2048-bit
• SHA-2
• Select the Cloud PKI Root Certificate
• EKU of Client Authentication
• SCEP server URL from your Cloud PKI issuing CA

The Wi-Fi policy looks basically the same as it did with NPS, with the exception we are doing machine authentication and obvious a different RADIUS server:

Once the Cloud PKI issues are resolved, we will show a nice video demo of all of this, so we can show you the success authentication within the solution.

**YouTube placeholder**

Final Thoughts

Overall, outside of the fact that I am dealing with this outage issue in Cloud PKI:

The entire experience in RADIUSaaS is really nice. The direct integration with Microsoft Intune delivers the exact experience we’re striving for. You can really tell the product is built by a company with some many great MVPs just based on some of the “cute” things you find in there. A few examples:

• You can export a Wi-Fi XML out of RADIUSaaS to deploy the Wi-Fi Profile
• You can use the Intune MDM certificate to authenticate to Wi-Fi (you probably shouldn’t)
• Support for rules (similar to NPS) to only allow cert auths from certain SSIDs, equipment groups, or even assigning VLAN IDs

Overall, a really great product, which helps bring us to the next generation of wireless authentication and more!