I'll go in to detail some, but I feel this would apply to several other setups.
Setups where EAP-PEAP are working and doing its thing, but where endcustomer is asking for a higher level of security.
Resources are a bit of this and bit of that really.
Some are internal servers with web based and non-web based access.
Some are cloud services (office365 etc)
In this specific case there are a web proxy which we hope to integrate with clearpass as well.
As a general point of view here, what I'm looking to do is role based access.
If group or combinations of groups in AD (or intune attributes etc) equals something, then give "Tips role so-and-so".
Based on this I return a role to the aruba controller which holds an ACL and VLAN.
This role can be student class (1st to 10th grade), teacher or municipality employee in various positions (each with a different role).
The role we hope to bring in to the web proxy as well.
The endgoal being that CPPM is the master of roles, where the wireless controller, firewall and web proxy uses the "Tips role" to give and deny access to resources (IP, subnets, URLs or web category for example).
In this specific case they do very little of these kind of things currently, but are very keen on implementing CPPM as the heart of the network.
Doing all this with EAP-PEAP isn't straight forward, but we're talking about "if statements" with "if so then so" along with integrations to firewall and web-proxy (story of its own..).
When it comes to the original topic I was hoping as part of the added security focus, to switch to EAP-TLS.
However as mentioned, during the test process I see that the certificate request for the user happens too late in the process in a way.
By that I mean that the machine authenticates fine as they where installed with LAN cable attached, so GPO is ran and machine requests a certificate which they authenticate fine with.
User logs on to windows and during the logon process (aparently before requesting a user cert) windows re-auths to the wireless network, but can't since the user haven't requested/gotten a certificate yet.
So solution here would have been an option to delay the user auth to the wireless network until a certificate has been downloaded with whatever role the machine auth gave, but I don't know of such option unfortunally.
The no-go option is to connect a cable each time a new user needs to logon on to a PC...