The Challenge
An Australian public university wanted to gradually migrate to a cloud-native identity and security framework. The university needed to move its eduroam Wi-Fi network from password-based authentication to certificate-based EAP-TLS. The organization was also migrating from an on-premises RADIUS server to Juniper.
The device fleet added complexity. Windows machines were managed through Microsoft Intune, while nearly 400 staff Macs ran on Jamf. BYOD devices from students and staff needed a separate enrollment path entirely. Each of these three populations required its own certificate enrollment configuration, trust chain and Wi-Fi profile — all feeding into the same eduroam SSID.
The university also needed its PKI to support separate intermediate certificate authorities: one for managed device enrollment through MDM platforms, and another dedicated to the on-premises RADIUS server for client-side certificate validation. Getting the trust chain right across both intermediates was non-negotiable for EAP-TLS to work.
The Solution
The university ran a proof of concept that tested certificate issuance across all three device populations. The POC validated that the PKI could issue certificates consumed by the university’s own RADIUS server — a configuration that required precise alignment between the intermediate CAs, Wi-Fi profiles and RADIUS trust settings.
BYOD enrollment went live first, using SAML-based authentication to verify student and staff identity before issuing certificates. Students and staff self-enrolled personal devices, receiving digital certificates tied to their university credentials.
Intune-managed Windows devices came next. The IT team configured SCEP-based certificate enrollment through Intune, pushing certificates and Wi-Fi profiles to the Windows fleet. Devices authenticated to eduroam using EAP-TLS with issued certificates, validated by the university’s on-premises RADIUS server.
The Jamf deployment for staff Macs required additional configuration work. The IT team set up certificate enrollment profiles scoped to test devices first, validating that the correct intermediate CA was referenced in the Wi-Fi profile’s trusted certificate list. With close to 400 Macs in the fleet, the team took a measured approach — confirming authentication worked end-to-end on test devices before expanding the scope.
The PKI issued certificates through the appropriate intermediate CA for each enrollment path, while the university maintained full control of its RADIUS infrastructure and authentication policies.
The Results
- BYOD and Intune-managed devices authenticating via EAP-TLS on eduroam with certificates
- On-premises RADIUS preserved, maintaining existing authentication infrastructure while adopting cloud-managed PKI
- Dual intermediate CAs configured for managed device enrollment and RADIUS server validation
- Jamf Mac fleet progressing through staged certificate deployment for 350+ staff devices
The deployment demonstrates that cloud-managed PKI can seamlessly integrate with existing RADIUS infrastructure. The university adopted the JoinNow Platform for certificate lifecycle management while maintaining full ownership of its authentication backend — a model that fits institutions with established network architectures and specific compliance requirements.