cappalli, what if the domain user is logging in from another computer? Do you mean to say the certificate of every single user is stored in the user store on EVERY SINGLE MACHINE IN THE DOMAIN?

In practice, it is worse than that...  Typically user certificates are only distributed via group policy when that user logs in successfully via a wired computer.  The user would have had to login to a wired computer to even have the certificate distributed to the user's profile before using it wirelessly.  That is why many secure environments only have wireless eap-tls with machine certificates and machine-only wireless authentication...  Having a multi-user device with wireless user certificates is a headache to provision in practice for multiple user.

Thank you cjoseph but that doesn't answer the question.

cappalli I'm still confused. If by simply logging into the domain with his username and password he will get a certificate, then what's the point of a user certificate? Isn't the whole idea of a user certificate to authenticate the user?