We have Cisco ACS 4.2 with PEAP MSCHAPv2 running on Server 2003 which allows both automatic computer authentication of our domain joined laptops and manual user authentication via the users domain user names and passwords for devices not joined to our domain. We have a business need to allow approved, non-domain-joined computers to connect to our network, (so we absolutely cannot restrict network connections to only allow devices joined to our AD domain) but because of this, this is being abused and people are also bringing in their rogue personal laptops and smartphones and connecting to the wireless.
Support for Cisco ACS 4.2 ends this year and, before we pay for upgrading from 4.2 to 5.x, we would like to see if we could just retire ACS and Server 2003 and migrate our wireless to 802.1x managed by one of our existing Server 2008 or 2008R2 servers instead.
One change we would like to do is make a change that prevents users from authenticating from their personal smarthphones and laptops by simply typing in their domain user name and passwords. We would like to have more control over which devices connect and also make changes so that the users who are authorized to use outside devices not joined to our domain (such as contractors working in our office from their pre-approved company laptop) don't have their domain account get locked out every month when their domain password changes and they forget to update the saved wireless credentials on their devices.
We currently have older Cisco wireless access points which we may also replace with something else (maybe something that integrates best with Microsoft if we drop ACS).
Are there any particular types/brands of wireless access points that work well with Microsoft wireless authentication?
Can roles built into Server 2008 R2 handle migrating from Cisco ACS and also add the ability to manage authentication of approved devices that are not members of our domain either without using user credentials at all or else using user credentials, but not locking out their domain user accounts when the old/wrong password is saved in the wireless connection settings.
I suppose one option for contractor laptops would be to make a second account for the user with a non-expiring password and not give this account rights to do anything else except authenticate wireless and then have IT staff enter the credentials into the device for the user without telling the user what the password is (so they cannot add it to rogue devices), but I hope there is a better/easier option than that.