I second this. Configure something like Microsoft Certificate Server (part of Windows Server) and a group policy to deploy a certificate to every AD member, and then use that for authentication. Once you have the certificate deployment done, here is a walk through for the NPS configuration required. https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication Except skip the entire first section on "Connection Request Policies.". This section does absolutely nothing. Whoever wrote that didn't know what connection request policies do.
... View more
