Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Using Third-Party CAs for Wireless Authentication
You can use third-party CAs to issue certificates for wireless access as long as the certificates installed can be validated and have the appropriate properties.
Certificates on IAS Servers
For the computer certificates installed on the IAS servers, the following must be true:
They must be installed in the Local Computer certificate store.
They must have a corresponding private key. When you view the properties of the certificate, you should see the text You Have a Private Key That Corresponds To This Certificate on the General tab.
The cryptographic service provider for the certificates must support SChannel (Secure Channel). If not, the IAS server cannot use the certificate and it is not selectable from the properties of the Smart Card Or Other Certificate EAP type from the Authentication tab on the properties of a profile for a remote access policy.
They must contain the Server Authentication EKU. The OID for Server Authentication is 1.3.6.1.5.5.7.3.1.
They must contain the FQDN of the computer account of the IAS server computer in the Subject Alternative Name field.
Additionally, the root CA certificates for the issuing CAs of the wireless client computer and user certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder.
Certificates on Wireless Client Computers
For the user and computer certificates installed on wireless client computers, the following must be true:
They must have a corresponding private key.
They must contain the Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2).
Computer certificates must be installed in the Local Computer certificate store.
Computer certificates must contain the FQDN of the wireless client computer account in the Subject Alternative Name field.
User certificates must be installed in the Current User certificate store.
User certificates must contain the UPN of the user account in the Subject Alternative Name field.
Additionally, the root CA certificates of the issuing CAs of the IAS server computer certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder.