We succeeded to setup a Wireless LAN comprising: a 4404 Controller, 20 Access Points 1140 and an IAS server installed on Domain Controller
Each wireless machine with a personal certificate (issued to the computer account) authenticates (PEAP authentication with MS Radius Server for 802.1x) priory to the user authentication ( using Domain credential). Since one week, machines without a personal certificate are granted access to the wireless network. We cannot find out what have caused this change? Our aim is to grant access only to machines with personal certificate.
If you are just using PEAP, then all that is required is a certificate on the RADIUS server. The clients would not have to have one in order to successfully authenticate. If you want to have the clients be forced to use certificates, then you are going to have to setup EAP-TLS on our IAS and not allow PEAP.
We resolved the issue by re-creating the PEAP Policy on another DC running an IAS Server with the correct certificate but we were unable to diagnose the cause of this problem. All OK now and we are planning to do the same with the pevious failed RADIUS server so it can act as a secondary RADIUS Server.
To Lee, thanks for your reply. You can still use a computer certificate under PEAP to tight the control on devices accessing your Wireless LAN. It's a mean to prevent any domain computer to be used to access the Wireless LAN.