Deployed 802.1x wireless SSID's with RADIUS authentication. Deployed 802.1x wired network with core switch being authentication point to RADIUS server. This included device certificates for non-Windows devices. 802.1x wireless network deployment was to free up existing wires for a secure ThinClient and RDS environment using SmartCard logins (ThinClient and RDS session) to isolate business system from normal user business PC activity. Using layer 1 (physical security) to prevent someone from accidently plugging into a port and getting a connection since client believes physical security is not a problem but end users are the greatest risk.
Shorten the window between steps since getting from PoC to production was mostly about teaching skills learned but forgotten. Also, use a different vendor for ThinClients - we are an HP/HPE shop but the ThinClient group was left in HP not HPE so support was a challenge sometimes to get answers.
Windows Hello biometric was never abler to be used for 802.1x wired so disabled for organization and did not try it for the 802.1x wireless. Believe the wireless would be more likely since RADIUS request is at the AP level and Meraki AP's are feature rich. With the wired it was at a HP switch that did not support the same richness options and if replaced might work. Issue with Windows Hello implementation on non-802.1x were being resolved when client started using newer HP AIO's that had it own biometric option that bypassed issue so stopped trying to solve at that point.