I've been playing round with this feature the past week and have some questions about it. Here is my situation:
1. We are going through a merger, one that hasn't been very well organized from an endpoint perspective. Both domains have EAP-TLS configured, with machine certs issues via internal PKI, GPOs pushed to use EAP-TLS for specific SSID, etc.
2. I have a need to find a way for machines from both domains to be able to connect to existing SSIDs on my network. Obviously, something like PSK is an option, but not ideal for obvious solutions. At a certain point in the near future machines and users will start to be migrated to the other domain. I honestly don't know if they will lose their PKI issued or machine certs or the GPO with the EAP-TLS settings, I'm assuming so.
3. I had the idea of using local auth and having a "generic" client auth cert pushed by all computers on both sides. Uploading the CA to the dashboard, and possibly enabling computers on both sides authenticate to the same SSID regardless of which domain the computer was imaged on.
4. When I upload the CA our current computers machine certs are signed by and enable local auth it works like a charm.
5. I used OpenSSL to create a new CA, server cert, and client cert. Uploaded the CA to the dashboard, installed the client cert on a test machine. Doesn't work. I've tried every combination of Windows settings for that SSID. I've tried uploading the CA, the server cert, and the client cert to the dashboard. I just get generic messages like "can't connect to this network". I honestly don't know why. The CA in in the dashboard. A client cert signed by that CA in on the machine. In my mind it should work. Yes, the CA is also installed on the machine as a trusted root CA.
Is this even possible or am I banging my head against a wall?