The Challenge
A private school needed to secure Wi-Fi access for a diverse device fleet made up of Windows laptops, iOS devices, and student-owned BYOD. The school relied on Microsoft NPS for RADIUS authentication, but it required a domain object lookup for every connection attempt, creating friction for managed iOS and Android devices that did not join the domain natively. When connectivity issues arose, the IT team had to manually search through NPS logs to trace where a device last connected — a slow, laborious process.
BYOD introduced another challenge. Starting with Android 11, third-party applications could no longer install a private certificate authority. Student devices running newer Android versions could not complete onboarding through the existing workflow. The school needed a BYOD enrollment path that worked across every OS version. They also needed a solution that didn’t require hands-on IT support for every device.
The school had already deployed certificate enrollment via the JoinNow platform for both managed and BYOD devices, using SAML-based onboarding to authenticate students before issuing certificates. But without a cloud-based RADIUS server, the IT team could not enforce certificate validation at the network edge. Patches and OS updates risked breaking NPS-based enforcement entirely. The team needed a cloud-native RADIUS service that could replace NPS, validate certificates issued by the same vendor certificate authority (CA), and pass device attributes to the firewall for content filtering, all without reissuing certificates.
The Solution
The school deployed the PKI and Mobile Device Management (MDM) platform to handle certificate enrollment across both managed and unmanaged devices. Intune distributes certificates to managed Windows devices via SCEP, while BYOD users complete a SAML-authenticated onboarding flow that provisions certificates and configures Wi-Fi settings in a single step. The JoinNow client also deploys a deep packet inspection certificate for SSL inspection on unmanaged devices — combining network authentication and content filtering setup into one enrollment action.
The school configured its network around minimal SSIDs to reduce wireless interference: one secure SSID for certificate-authenticated devices and one onboarding SSID in select locations. Auto-revocation ties directly to Intune. When a device is wiped or its license is removed, the certificate revokes automatically. This keeps the certificate lifecycle aligned with device compliance without manual intervention.
The next phase adds a cloud-based RADIUS service to replace Microsoft NPS entirely. Because the certificates are already issued by the CA, migration does not require reissuance. The RAIDUS will handle EAP-TLS validation and pass class attributes to the firewall for age-appropriate content filtering. The school plans four SSIDs in the final architecture: onboarding, secure TLS, guest, and IoT.
The Results
- NPS migration path established— Cloud-native RADIUS service replaces on-premises NPS without reissuing any existing certificates
- BYOD onboarding automated— SAML-based self-service enrollment for Windows, iOS, and Android
- Auto-revocationtied to Intune compliance— Certificate lifecycle stays in sync with device management
With a cloud-native RADIUS service, the school will gain real-time visibility into device connections and pass identity attributes directly to the firewall for content filtering by student age group; no more spending time on manual NPS log searches.