We're preparing to roll out a secure WLAN across a relatively large enterprise network (2000+ users). The original plan was for new client connections to be kicked back to ACS (ver 4.2), which is configured for PEAP and references AD for username authentication. In this scenario, any device that supports WPA2-Enterprise w/ PEAP MS-CHAPv2 can connect to our internal network wirelessly so long as the submitted username/password passes AD authentication. This has been raised as a big security concern, so we're now looking into options for allowing access to only company-issued devices.
Machine Authentication initially seemed the way to go, but we have a fair number of employees with company-issued Macs, as well as PCs running Linux, and those must be allowed as well. We've considered EAP-TLS, but we're being told that deploying certificates for so many clients is not considered a “supportable” solution due to infrastructure requirements and administrative overhead. Earlier today, someone suggested installing the Quest Authentication Services (formerly Vintela) client on non-Windows devices, which would enable them to use AD services, but getting budget to buy licenses will likely set us back a long time.
Would it be possible and sensible to configure ACS so that if a client can't do machine authentication, it would switch to certificate-based authentication with EAP-TLS instead? If only non-Windows devices require certs, then the CA administration ought to be manageable.
Is anyone aware of any other alternative solutions for this?