We are attempting to get EAP-TLS authentication working for wireless devices on our network. We have the following infrastructure in place.
Cisco 1252AG Lightweight APs
Cisco 4402 Wireless LAN Controller
Cisco Secure ACS 5.2
Windows 2003 level Active Directory
We are trying to keep all our servers running Windows 2008 R2. We are trying to support Win XP, Win 7, iOS, and Android wireless clients. Our goal is to use AD Username and Password along with a certificate installed on the clients. This would give us the ability to revoke a certificate if a laptop, tablet, phone, etc. is lost or stolen. It also protects us against users not protecting their passwords properly.
We DO NOT have Domain Admins or Enterprise Admins permission for active directory as we are a subsidiary company and our parent has control of AD. We have been told the only way to do this was to use NPS on one of our Win 2008 R2 servers, but we do not have sufficient permissions to set this up. Our parent company is still over a year away from being able to provide this for us, but we need to move forward with our projects now. Do we really need NPS to process the policies for wireless logins, or can we use the policy enforcement built into ACS? Is there another way we could pull this off without increasing administrative burden after implementation too much and still be able to disable a lost or stolen portable device?