Hi folks,
I'm working with a customer at the moment who is merging two separate networks with separate Active Directory infrastructures and legacy Aruba networks. We are deploying a new centralised infrastructure with CPPM for authentication. However both AD domains are remaining separate with no trust relationship configured, and completely separate PKIs. At the moment, clients in both networks are using EAP-TLS with certificate auto-enrollment configured. Moving forward, we would like to continue with EAP-TLS if possible, but EAP-PEAP is a fallback option.
The obvious solution is to push out the self-signed CPPM server cert to all the clients and use EAP-PEAP. Is there a relatively straightforward way of setting this up which would still allow us to use EAP-TLS and certificate auto-enrollment? Could CPPM be the root CA, trusted by the PKI in each domain, for example?