I am trying to resolve an issue with the coexistance of two computer certificate from different AD integrated PKIs. We have an old 2003 R2 CA that expires soon and a new 2 tier 2008 R2 PKI. Both are AD integrated in our single domain forest. For several years we have been using the built-in computer certificate template on all our wireless domain joined devices for WPA2 (EAP-TLS) authentication. Our Cisco ACS devices can only have one CA cert installed and it's currently from our old CA; therefore, I purposely have not added the "computer" template to our new PKI.
I have duplicated the computer tempate (computer v1), and set the ACLs so that only a select group of devices have enroll/autoenroll permission, and added it to the new PKI for issuing. My test Wireless Windows 7 device already has the computer cert from our old PKI and wireless is working. As soon as the device auto-enrolls for the computerV1 certificate, I cannot reconnect to wireless even though the original computer certificate is also present.
I need to get the new computer V1 cert to all our devices without breaking the wireless authentication. Once the new cert is available, we will add the new CA cert to all our Cisco ACS devices.
Any ideas on why wireless is failing after adding the new computerv1 cert?