Skip to main content

Configuring 802.1X Wired Network Authentication on Windows Devices

  • Updated

802.1X is an IEEE standard for port-based network access control. 

When enabled on a school’s wired network, each device must authenticate against a RADIUS server before the network switch grants it access. This prevents unauthorised devices from connecting to the school LAN, even if they are physically plugged in.

On Windows devices managed through Mobile Guardian, 802.1X wired authentication is configured via Microsoft Intune and applied through the Mobile Guardian Profiles system. 

Intune pushes the authentication settings, certificate references, and EAP configuration to enrolled devices. Mobile Guardian’s Baseline and Conditional Profiles determine which devices receive the policy based on their Azure AD group membership.

This article covers how to deploy 802.1X wired network authentication using the Intune Settings Catalog (recommended) and Custom OMA-URI.

What You Will Learn

  • How 802.1X wired authentication maps to Mobile Guardian Profiles
  • How to deploy a trusted root certificate for your RADIUS server
  • How to configure 802.1X wired authentication using the Intune Settings Catalog
  • How to configure the same settings using Custom OMA-URI
  • How to verify authentication is working on enrolled devices

Prerequisites

  • Windows 10/11 Pro or higher
  • Devices enrolled in Mobile Guardian via Microsoft Intune (see Windows OS Onboarding: Part 1)
  • Admin access to the Mobile Guardian Dashboard
  • Admin access to Microsoft Intune
  • A functioning RADIUS server (e.g., Microsoft NPS, FreeRADIUS, or a cloud RADIUS service) configured to accept 802.1X authentication
  • The root CA certificate (.cer or .pem) used by your RADIUS server
  • If using certificate-based authentication (EAP-TLS): a SCEP or PKCS certificate profile already deployed to devices via Intune

 

How 802.1X Fits Into Mobile Guardian Profiles

802.1X wired network policy is applied at the profile level in Mobile Guardian, not per-device. The Intune configuration profile is assigned to an Azure AD group, and Mobile Guardian’s Baseline and Conditional Profiles determine which devices belong to each group.

Recommended profile structure:

Profile Type Use Case
Baseline Profile Apply a standard 802.1X wired configuration to all enrolled Windows devices using PEAP (username and password authentication)
Conditional Profile Apply certificate-based authentication (EAP-TLS) to a specific group, such as staff devices or lab machines that require a higher level of network trust

Note

802.1X wired authentication requires the Wired AutoConfig service (dot3svc) to be running on each device. This service is installed by default on Windows 10/11 Pro and Education editions but is stopped by default. The Intune policy will start the service automatically when the wired network profile is applied.

 

Step 1: Deploy the Trusted Root Certificate

Before configuring 802.1X, the RADIUS server’s root CA certificate must be deployed to devices so they can validate the server during authentication. If your root certificate is already deployed via Intune, skip to Step 2.

Create a Trusted Certificate Profile

Sign in to the Microsoft Intune Admin Centre and navigate to:

  1. Devices
  2. Manage Devices (drop-down)
  3. Configuration
  4. Create > New Policy

On the Create Profile window:

  • Platform: Windows 10 and later
  • Profile type: Trusted certificate
  • Click Create

Complete the Profile

  1. Name: Enter a descriptive name (e.g., RADIUS Root CA Certificate)
  2. Description: Optional but recommended
  3. Click Next
  4. Upload the root CA certificate file (.cer or .pem)
  5. For Destination store, select Computer certificate store - Root
  6. Click Next
  7. Skip Scope Tags (click Next)
  8. Under Assignments, click Add groups and select the relevant Azure AD group (e.g., All Windows Devices)
  9. Click Next, then Create

Note

The trusted certificate profile must be assigned to the same device group as the 802.1X wired network profile. If devices do not have the root certificate, authentication will fail because the device cannot verify the RADIUS server’s identity.

 

Step 2: Configure 802.1X Wired Authentication

Method 1: Intune Settings Catalog (Recommended)

This method uses the Intune Settings Catalog to configure the wired network profile. It is the recommended approach for most schools as it provides a guided UI with human-readable setting names.

Create a New Configuration Profile

In the Intune Admin Centre, navigate to Devices > Manage Devices > Configuration > Create > New Policy:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Wired Network
  • Click Create

Complete the Basics

  • Name: Enter a descriptive name (e.g., Mobile Guardian 802.1X Wired Network - Students)
  • Description: Optional but recommended
  • Click Next

Configure Authentication Settings

Under 802.1X, configure the following:

Setting Recommended Value Notes
Authentication mode User or Machine Authenticates with whichever credential is available. Use Machine if devices should authenticate before any user signs in
Authentication method PEAP Username/password authentication. Use EAP-TLS for certificate-based authentication
EAP type EAP-MSCHAPv2 (for PEAP) The inner authentication method used inside the PEAP tunnel
Trusted root certificate for server validation Select the certificate profile created in Step 1 Required for the device to trust the RADIUS server
Authentication period (seconds) 60 Time the device waits for the switch to respond
Authentication retry delay (seconds) 5 Delay before retrying after a failed attempt
Maximum authentication failures 3 Number of failed attempts before the device stops trying
Cache user credentials Yes Stores credentials so the user does not need to re-enter them at each login

Note

If using EAP-TLS (certificate-based authentication), select your SCEP or PKCS certificate profile under Client certificate for client authentication instead of configuring EAP-MSCHAPv2. This requires a SCEP or PKCS profile to be deployed to devices first.

Skip Scope Tags

Click Next on the Scope Tags tab.

Assign to a Group

Under the Included groups section:

  • Click Add groups
  • Select the Azure AD group corresponding to your student or staff devices (e.g., Students, Staff Devices)
  • Click Next

Review and Create

Review your settings and click Create. The profile will sync to enrolled devices on their next Intune check-in.

 

Method 2: Custom OMA-URI

This method is for admins who prefer direct CSP control, have existing OMA-URI deployment templates, or are deploying the same policy across multiple tenants. It uses the WiredNetwork CSP to push an 802.1X XML profile to enrolled devices.

Create a Custom Configuration Profile

In the Intune Admin Centre, navigate to Devices > Manage Devices > Configuration > Create > New Policy:

  • Platform: Windows 10 and later
  • Profile type: Custom
  • Click Create
  • Enter a name (e.g., Mobile Guardian 802.1X Wired Network - OMA-URI)

Add the OMA-URI Setting

Under OMA-URI Settings, click Add:

  • Name: 802.1X Wired Network Profile
  • OMA-URI: ./Device/Vendor/MSFT/WiredNetwork/LanXML
  • Data type: String (XML)
  • Value: Paste your 802.1X LAN profile XML

Below is a reference XML for PEAP authentication. Modify the values to match your RADIUS environment:

<?xml version="1.0" encoding="UTF-8"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
  <MSM>
    <security>
      <OneXEnforced>false</OneXEnforced>
      <OneXEnabled>true</OneXEnabled>
      <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
        <authMode>machineOrUser</authMode>
        <EAPConfig>
          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
            <EapMethod>
              <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type>
              <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
              <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
              <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
            </EapMethod>
            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
              <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                <Type>25</Type>
                <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
                  <ServerValidation>
                    <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
                    <TrustedRootCA>INSERT_ROOT_CA_THUMBPRINT_HERE</TrustedRootCA>
                  </ServerValidation>
                  <FastReconnect>true</FastReconnect>
                  <InnerEapOptional>false</InnerEapOptional>
                  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                    <Type>26</Type>
                    <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                      <UseWinLogonCredentials>true</UseWinLogonCredentials>
                    </EapType>
                  </Eap>
                  <EnableQuarantineChecks>false</EnableQuarantineChecks>
                  <RequireCryptoBinding>false</RequireCryptoBinding>
                </EapType>
              </Eap>
            </Config>
          </EapHostConfig>
        </EAPConfig>
      </OneX>
    </security>
  </MSM>
</LANProfile>

Key values to replace:

Placeholder What to enter
INSERT_ROOT_CA_THUMBPRINT_HERE The SHA-1 thumbprint of your RADIUS server’s root CA certificate. Find this in the certificate’s properties under Thumbprint

EAP Type reference:

EAP Type Number Protocol
13 EAP-TLS (certificate-based)
25 PEAP (username/password)
21 EAP-TTLS

Note

The XML above uses UseWinLogonCredentials set to true, which means the device will use the signed-in user’s Windows credentials for 802.1X authentication automatically. This avoids prompting the user for a separate username and password.

Enable the Wired AutoConfig Service

The Wired AutoConfig service (dot3svc) must be running for 802.1X to function. Add a second OMA-URI setting to start it automatically:

  • Name: Enable Wired AutoConfig Service
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWiredAutoConfigServiceStartupMode
  • Data type: Integer
  • Value: 2 (Automatic)

Assign and Create

Assign to the relevant Azure AD group and click Review + Create.

Link Back to Mobile Guardian Profiles

Once the Intune policy is deployed:

  • Navigate to Profiles in the Mobile Guardian left-hand menu
  • Select the Baseline Profile (for school-wide enforcement) or the relevant Conditional Profile
  • Under the What section of the profile, confirm that Windows device settings are active for the assigned group
  • The Intune policy will apply automatically to any device enrolled in the matching Azure AD group

 

Verifying Authentication

From the Mobile Guardian Dashboard

  • Navigate to Devices in the left-hand menu
  • Select All Devices and locate the Windows device
  • Click the eye icon to open the Device Information view
  • Confirm the device is shown as enrolled and active

Note

The Mobile Guardian Dashboard confirms device enrollment status, not the state of specific Intune configuration profiles. Use Microsoft Intune and device-side checks to verify that 802.1X authentication is working.

From the Device

On the Windows device:

  1. Open Settings
  2. Navigate to Network & Internet > Ethernet
  3. Confirm the connection shows as Connected with authentication active
  4. Open Services (search for “services” in the Start menu) and confirm Wired AutoConfig is running
  5. Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Wired-AutoConfig > Operational to review authentication events

From Microsoft Intune

Per-policy view — to see all devices the profile has been applied to:

  1. Navigate to Devices > Configuration in the Intune Admin Centre
  2. Select the 802.1X wired network profile
  3. Select Device and user check-in status
  4. Confirm the device shows a state of Succeeded

Per-device view — to confirm a specific device has received the policy:

  1. Navigate to Devices > All Devices
  2. Select the device
  3. Under Monitor, select Configuration
  4. Locate the 802.1X profile and confirm the state shows Succeeded

 

Troubleshooting

Issue Likely Cause Resolution
Device not authenticating after policy sync Wired AutoConfig service not running Confirm the service start mode OMA-URI is deployed, or manually start the service: net start dot3svc
Authentication fails with certificate error Root CA certificate not deployed or not trusted Verify the Trusted Certificate profile is assigned to the same group as the wired network profile
User prompted for credentials despite UseWinLogonCredentials Authentication mode set to User only, and machine credentials not cached Change authentication mode to Machine or User so the device can authenticate before user sign-in
Profile showing as Not Applicable in Intune Device running Windows Home edition Windows Home does not support MDM-managed 802.1X. Requires Pro or Education
Device authenticates intermittently RADIUS server timeout too short Increase the authentication period to 60 seconds and check RADIUS server logs for timeout entries
EAP-TLS failing on specific devices SCEP/PKCS certificate not enrolled on the device Verify the certificate profile status in Intune under the device’s Configuration monitor
Switch not granting access despite successful authentication VLAN assignment not configured on the RADIUS server Check the RADIUS server policy for correct VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID)

 

Please let us know if you found this helpful.

Thanks for reading! 🙂

Related articles