We would like to set up both domain computers and non-domain computers to access our wireless LAN without the need for the user to enter their domain login credentials and remember to update the wireless settings every time they change their domain password.
We now use PEAP CHAPv2 and it works OK for domain computers, but it is a hassle for non-domain laptops when passwords expire, so we want to change it to EAP-TLS and import authentication certificates onto the non-domain devices.
Are you supposed to use a certificate from your internal domain CA or should you use a third party commercial certificate such as Verisign or GoDaddy etc.?
I thought I read somewhere that you are supposed to use an internal Enterprise CA, but if you did that, wouldn't the non-domain devices give warnings and errors about using a certificate from an untrusted Root CA? Only the domain PCs could trust an internally
generated certificate by default.
How are the certificates named? Are they named to match the DNS host name of the Radius server (such as "RadiusServer2.domain.local") the way you name a SSL cert for a web server or are the certificates named a friendly name such as "Office Wireless Cert?"