We would like to switch from MSCHAP PEAP to EAP-TLS wireless for two reasons.
The first reason is to eliminate dealing with expired password and troubleshooting wireless disconnections and account lockouts every time the users passwords expire.
The second reason is to have more control on which non-domain devices can be used to connect to our wireless network. We do not want to waste time trying to limit by MAC Addresses that can easily spoofed. Though MAC filtering may work 90% of the time since most will not bother trying to spoof a MAC address to get their iPhone or personal laptop online, it will be super labor intensive to keep track of MAC addresses.
However, just like a user can just enter their credentials for PEAP into multiple devices, is there anything that can be done to prevent device certificates given to a user to install on a specific approved device from be copied to multiple devices?
If the certificate is downloaded from a web page or emailed or copied from a thumb drive, the user can make extra copies of the machine certifate and put it on a rogue devices.