I have shown how to set up a WPA Enterprise architecture with EAP-TLS using a user certificate. You can find the tutorial here. This works quite well, but in some situations it may not be appropriate since the network connection is only established once the user session is opened.
To remedy this, we need to use computer authentication. With this method, the computer establishes a connection at system startup, i.e., from the Lock Screen.
In this guide, I'll describe the steps involved in deploying computer certificates in an AD CS architecture, so that you can authenticate with them.
This guide assumes that AD CS is already installed and operational. For a detailed explanation of how to set it up, follow this link: Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points.
From the AD CS server, we'll create a certificate template for our workstations, which will enable us to generate the certificates used for computer authentication.
Finally, click OK to create the template.
We need to configure our NPS server (which is the RADIUS server in the Microsoft ecosystem) to accept authentication for a group of computers. I will not go into the complete installation process here, because I have already explained it: here.
I'll describe below how to create a Network Policy in which we define the group of computers that can connect to the network and the protocols used.
Once AD CS is properly configured, we can request a Workstation certificate from any domain-joined computer.
To automate certificate renewal, we can create a GPO and apply it to all domain-joined computers.
C:\> gpupdate
Contact :