We have a deployment with a very tight budget so I had to fall back to using NPS under Windows Server 2012 for the RADIUS service.
I have configured EAP-TLS using the Microsoft Certificate Auto-enrolment service\domain based CA and BYOD utilises a certificate from a public CA.
The NPS rules are as follows:
1. EAP-TLS\domain computer cert = machine auth role
2. EAP-TLS\staff cert = staff role
3. EAP-TLS\contractor cert = contractor role
4. PEAP\staff AD account = staff BYOD role
5. PEAP\contractor AD account = contractor BYOD role
The issue I am having is that staff members and contractors using their personal laptops, so they don't have a user certificate issued by the Microsoft Certiificate Auto-enrolment service, are being incrorrectly assigned a staff/contractor role rather than a staff BYOD/contractor BYOD role.
Has anybody seen this issue?