We've got a wireless network set up already and we're getting a Cisco ISE for this project. We're investigating deploying two factor authentication, with the two factors being: Domain Username/Password and a Certificate.
Is the only way to do two factor authentication like this with EAP-Chaining?
Will EAP-Chaining work on Android and Apple IOS devices?
Have you considered using a USB secure certificate token store instead? An example is something like this:
Basically you issue a certificate, and it is stored on the USB token. You give this to the user along with (usually) a PIN.
The user plugs the token into their machine, and they get asked for the PIN. This unlocks the certificate store, and it now shows up as a normal certificate store in windows.
Being a normal certificate store you can use the certificate for WiFi authentication, VPN authentication, Email encryption, etc.
You may be able to use other methods aside from a PIN. I have only seen it used with a PIN.