How do I get computer client certificates to my non-domain clients so they can access the WLAN?


  • Good day all,

    I'll try to be as succinct as possible as I am hoping someone who has managed a similar network as I am describing will chime in with some advice.

    I am looking at using Windows 2008R2 NPS for RADIUS authentication to access my corporate WLAN. I'm thinking about using PEAP-TLS because while MSCHAPv2 is very easy to deploy, I didn't want someone to be able to enter their username/password on a device they bring in from outside and put it on my WLAN.

    For my domain workstations, this is no issue, as I setup autoenrollment for computer certificates and pushed the wireless profile with the correct EAP type and computer authentication using Group Policy.

    My dilemma is I have several wireless barcode scanners that we use in our warehouse that need to be on the corporate LAN. These devices run Windows CE 6 and are not part of the domain. So, basic question is, what is the best practice for using device like these with PEAP-TLS?

    Do I have to request a computer certificate for each barcode scanner? Or do I just request one and import the same certificate on to all of my devices? And how do I request a computer certificate for these devices? Is this typically done from the device or is there another preferred method?

    Can someone provide me with some general direction on how best to work with NPS, RADIUS, and non-domain clients like these barcode scanners?

    Thanks for any help!

    Monday, February 11, 2013 3:17 AM