Zero Trust policies are commonly enforced for cloud applications, where identity and device compliance checks happen before access is granted. But when it comes to Wi-Fi and VPN access, those same signals often are not part of the decision.
That creates a gap. A device might fail compliance checks in an MDM like Microsoft Intune, because of an outdated OS or disabled encryption, but still successfully authenticate to the network through RADIUS.
Foxpass’s latest Cloud RADIUS enhancements help close that gap by incorporating device posture signals into network authentication decisions, allowing organizations to extend Zero Trust principles to Wi-Fi and VPN access.
The gap between device compliance and network access
Many organizations already evaluate device posture using Microsoft Intune compliance policies. These policies verify things like operating system versions, encryption status, and other security requirements before allowing access to corporate resources.
However, those posture signals do not always influence network access itself.
At the same time, Microsoft Entra Conditional Access is designed for cloud authentication flows and token issuance. It is not part of the authentication path for RADIUS-based services like Wi-Fi or VPN.
The result is a common disconnect:
Devices are evaluated for compliance by MDM
Users authenticate to the network through RADIUS
Device posture is often not considered when granting network access
This means that devices that fall out of compliance may still connect to corporate Wi-Fi or VPN unless additional controls are implemented
Introducing device posture-based access control in Foxpass
Foxpass now allows administrators to incorporate device posture alongside identity and certificate authentication when making network access decisions.
Device compliance continues to be evaluated by Microsoft Intune and surfaced through Microsoft Entra ID. Foxpass retrieves and caches these posture signals and uses them during RADIUS authentication to determine whether a device should be granted network access.
Based on configuration, administrators can:
Allow access only for compliant devices
Deny access for non-compliant devices
Place unmanaged or non-compliant devices into a quarantine network
This approach allows organizations to enforce a device posture requirement directly at the network layer while continuing to use their existing identity and device management systems.
Posture-aware access without full Network Access Control (NAC) complexity
Traditional NAC solutions often rely on endpoint agents, inline enforcement appliances, and continuous device interrogation across the network. While these systems can provide deep visibility and control, they can also introduce operational complexity and infrastructure overhead.
Foxpass takes a lighter-weight approach. Device posture continues to be evaluated by the organization’s existing MDM platform, and Foxpass applies those signals during the authentication process. Because enforcement happens during RADIUS authentication, organizations can implement posture-aware network access decisions without deploying additional agents, inline appliances, or a full NAC infrastructure.
For many teams, especially those operating in cloud-first or distributed environments, this provides a practical way to enforce device compliance at the network edge.
How posture enforcement works
Device posture-based access control in Foxpass is configurable and not enabled by default.
Posture signals become available once the integration with Intune and Entra ID is established, but administrators can choose how and when to enforce policies. Some organizations may begin observing posture signals before introducing enforcement, while others may immediately restrict access for devices that fail compliance checks.
Depending on policy requirements, administrators can:
Deny access entirely for non-compliant devices
Place those devices into a quarantine network for remediation
Continue monitoring posture signals before enabling enforcement
It is also important to understand where these decisions occur in the authentication flow.
Microsoft Intune evaluates device compliance. Microsoft Entra ID surfaces device state information. Foxpass uses those signals to inform the network's access decision during RADIUS authentication.
Because Wi-Fi and VPN authentication rely on RADIUS, these enforcement decisions occur outside the Microsoft Entra Conditional Access model that is used for cloud applications.
Bringing Zero Trust to the network edge
By incorporating device posture into network authentication decisions, Foxpass extends Zero Trust policies beyond cloud applications to the network itself. Each connection can be evaluated using multiple signals including identity, certificates, and device compliance before network access is granted.
For organizations already using Microsoft Intune and Entra ID, this provides a straightforward way to align Wi-Fi and VPN access policies with existing device compliance requirements.
