In NPS, if an EAP-TLS policy is configured for wireless clients, am I correct in assuming that any client that has a certificate issued from any of the built in root CAs (i.e DigiCert, Go Daddy, Verisign, etc.) would also be able to successfully authenticate? Is there no way to lock down the policy to just authenticate clients with certificates issued from your internal CA?
Thanks