Hi All,

I'm trying to test 802.1x authentication in a lab environment with some standalone 1131AGs and a Server 2008 R2 NPS server. I've been able to set up a few different scenarios but none have met all my requirements:

Scenario 1:

Laptops in the domain automatically get certs from a GPO

Laptops in the domain automatically get an SSID configured from a GPO

Laptops in the domain automatically authenticate using their computer certificate.

Problem:

I can't add non-domain computers to this network. I've tried installing computer certs using Windows 2008 R2's certsrv CA web portal but these types of certs don't seem to work.

Scenario 2:

Same as below except I provide non-domain computers with a user certificate which they can request through Windows 2008 R2s certsrv CA web portal.

They can connect BUT they can export the private key and put it on other devices or give it to their friends, etc.

I'd like to figure out a way to ensure certificates can't be exported or at least require a user cert and a username and password to get onto the wireless network. Is this not possible with EAP-TLS or PEAP-TLS?

Thanks!